The post Aave Hit With $5.4 Billion in ETH Withdrawals After Kelp DAO rsETH Exploit appeared first on Coinpedia Fintech News
A nearly $300 million exploit targeting Kelp DAO’s rsETH cross-chain bridge has triggered a mass withdrawal event at Aave, with over $5.4 billion in ETH leaving the protocol as users rushed to pull funds following concerns about bad debt accumulating on the platform.
The attacker deposited rsETH into Aave to drain ETH, leaving the protocol holding exposure it cannot easily unwind. The consequence was immediate. Aave’s ETH utilization rate climbed to 100%, meaning every available ETH in the lending pool is now borrowed and the protocol has no liquidity buffer remaining.
The Whale Exodus
The scale of the withdrawal was driven by large holders acting quickly. Justin Sun alone removed 65,584 ETH worth approximately $154 million from Aave in a single move, a transaction that on its own would have been headline news on any other day.
According to on-chain tracking by Lookonchain, the broader exodus of $5.4 billion reflects a wider panic among sophisticated users who understood what bad debt at Aave means for depositors unable to withdraw at will.
What Actually Happened
Kelp DAO paused rsETH contracts across mainnet and multiple Layer 2 networks shortly after identifying suspicious cross-chain activity. The team said it was working with LayerZero, Unichain, auditors and security experts to determine the root cause.
On-chain analysis from D2 Finance pointed to a private key leak on the source chain as the root cause, creating a trust issue with OApp nodes that allowed the attacker to manipulate the bridge.
A further nuance was added by investigators following the forensics. Two possible failure paths exist. If a legitimate source transaction exists for the relevant nonce, the compromise originated from the source-side OApp key. If no source transaction surfaces, the failure is on the DVN side, compounded by Kelp’s configuration of a single point of failure using LayerZero Labs as the sole verifier.
What Comes Next
Kelp DAO’s contracts remain paused while the investigation continues. Aave’s ETH utilization at 100% creates a situation where depositors cannot withdraw until borrowed ETH is repaid or new liquidity enters the pool.
The bad debt question is the more pressing concern. If the exploited rsETH positions cannot be recovered, Aave will need to determine how losses are distributed across the protocol, a process that has historically been contentious and slow.
Full forensics and an attacker cluster map are still being compiled. Official updates are expected through Kelp DAO’s verified channels as the investigation progresses.
