A critical vulnerability in the bridge infrastructure of the KelpDAO protocol has led to one of the most significant liquidity shocks in DeFi history. The attacker exploited a flaw to generate 116,500 fake rsETH tokens, representing approximately 18% of the total supply.
These unbacked assets, with a market value of $292 million, were subsequently deposited into the Aave protocol as collateral. This allowed the attacker to gain access to real assets in the form of ETH, wETH, and stablecoins, which were immediately drained from the system.
The simple logic of "fake tokens for real money" triggered an immediate chain reaction. A massive "bank run" ensued as investors scrambled to rescue their funds before the system ran out of available cash.
Major institutional players, including the MEXC exchange and Justin Sun, began pulling their assets in a panic. This led to a liquidity outflow from Aave exceeding $6 billion in a single day.
This rapid withdrawal caused the utilization rate of core pools—ETH, USDT, and USDC—to spike to a critical 100%. At that point, the system effectively locked up, and regular users lost the ability to withdraw their deposits.
In an attempt to access at least a portion of their assets, users flocked to a costly emergency workaround. They began borrowing their own money against their frozen deposits just to gain some form of liquid cash.
This phenomenon resulted in an anomalous $300 million spike in loan volume. Analysts point out that this was not a sign of healthy credit demand, but a clear indicator of a crisis where users are essentially paying interest to access their own savings.
Due to Loan-to-Value (LTV) limits set at approximately 75%, users were only able to borrow a portion of their asset value. In this desperate flight for liquidity, they had to accept immediate losses ranging from 10% to 25%.
The systemic paralysis gradually spread to other markets. Liquidity dried up in pools for stablecoins such as DAI, GHO, and USDe, which became entirely unavailable across various DeFi markets.
Although Aave’s smart contracts were not directly compromised, the secondary effects of the KelpDAO attack were devastating. Aave responded by immediately freezing rsETH markets on versions V3 and V4 to prevent further exploitation of the system.
The entire incident remains a memento of the risks associated with DeFi protocol interdependency. A failure in one link can paralyze an entire ecosystem within hours, forcing users to pay an extremely high price to rescue their own capital.
Source: