The aftershocks of Saturday’s KelpDAO hack are spreading through the stablecoin market, and in ways that aren’t obvious.
In the first 24 hours after the attack, Aave users borrowed approximately $300 million from their stablecoin Tether deposits According to Chaos Labs, on the platform.
The surge in borrowing is not a sign of demand; This is a sign that the user cannot withdraw. With stablecoin pools depleted, depositors can only obtain liquidity by taking out loans at a loss, using their own funds as collateral.
Think of it this way: imagine a bank refusing to process a customer’s fiat deposit withdrawal request. So, out of desperation, customers use these savings to apply for loans. This kind of credit creation is not healthy, but a desperate move for liquidity.
“We are now seeing some negative secondary effects from illiquidity in the Aave stablecoin market,” said monetsupply.eth, pseudonymous head of strategy at rival DeFi lending platform Spark. “USDT-collateralized borrowing has increased by approximately $300 million in the past day alone since the rsETH breach occurred as users were unable to withdraw due to 100% utilization.”
To understand how a single vulnerability on KelpDAO ended up locking down every stablecoin outlet on Aave simultaneously, you need to understand how the system is supposed to work — and where exactly it breaks.
What Aave is and how it works
Aave is a decentralized finance (DeFi) protocol that enables users to lend and borrow cryptocurrencies without intermediaries. Think of it like a bank, except it runs entirely on code on a public blockchain, with no human gatekeepers.
Users deposit assets into the lending pool and earn interest. Others borrow from the same pool by posting crypto assets as collateral, which exceeds the loan amount. The system is designed to self-correct automatically through interest rates. When many people want to borrow, interest rates rise, making borrowing more expensive and encouraging lenders to deposit more. When demand falls, interest rates fall.
The entire system operates on a core assumption: There is always enough liquidity—enough assets in the pool—to allow lenders to withdraw deposits when needed, and for borrowers to close out positions when needed.
When this assumption fails, everything else falls apart. This is what happened after the KelpDAO exploit.
rsETH and KelpDAO vulnerabilities
rsETH is a liquid re-pledged Ethereum currency issued by KelpDAO.
When you stake ether (ETH), you lock it up to help secure the Ethereum network in exchange for yield, similar to earning interest on a bond. Some protocols issue Liquid Staked Tokens (LST) that stake ETH on your behalf.
Re-staking goes a step further, repurposing those already staked assets to secure additional systems, effectively stacking benefits. In return, you receive receipt tokens representing your positions. rsETH is one such receipt token that has been widely used as collateral in the DeFi world.
On April 18, attackers manipulated KelpDAO’s bridging infrastructure to release 116,500 rsETH—approximately 18% of the token’s circulating supply and worth approximately $292 million. These fake, unsecured tokens are immediately deposited into lending protocols (mainly Aave) to borrow real ETH and other assets such as Wrapped Ethereum (wETH) against which they are collateral. Counterfeit money comes in, real money goes out.
“That [borrowed] Wes is gone. Regardless of the value of the unbacked claim, the rsETH taking a seat in the vault is worth it – close to zero on the L2 side, with over 20 chains holding bridged rsETH backed by now-empty mainnet lockboxes,” said 0xyanshu, a pseudonymous cryptocurrency operator known for solving on-chain finance and risk issues.
Aave froze the rsETH market on V3 and V4 within hours, and founder Stani Kulechov confirmed that the vulnerability was an external vulnerability and that Aave’s contracts were not compromised. That freezing stopped the bleeding. But it also triggered a chain reaction that led to a $300 million surge in borrowing.
How a $300 million loan came about in one day
When news of the exploit broke, whales and large funds withdrew billions of dollars worth of cryptocurrency from Aave’s liquidity pools within hours. Since they acted first and in large numbers, their withdrawals depleted the liquidity pool.
“When the rsETH vulnerability occurred and AAVE generated bad debts, whales such as Justin Sun and MEXC exchange immediately withdrew billions of dollars from AAVE,” analyst Duo Nine said in an explanation. “Initially, the ETH market utilization reached 100%, which meant that you could not withdraw ETH from AAVE.”
This quickly spread to USDT and USDC mining pools, driving their utilization to 100%, with over $6 billion in assets leaving the protocol within hours. Each lending pool holds a fixed amount of assets deposited by users. When every dollar of these assets has been loaned out, there is nothing left to withdraw.
“This is because AAVE has lost over $6 billion in liquidity in the past 24 hours,” Errenjiu wrote. “USDT and USDC have reached 100% utilization as whales take their money out. These markets are also now locked in funds.”
That was the beginning of a $300 million surge in secondary borrowing.
Trapped USDT and USDC depositors are unable to simply withdraw their funds and are left looking for the only exit. They first draw loans from locked deposits.
“Some users decided to borrow in USDT/USDC and exit through other markets with losses of 10-25%,” Errenjiu explained. “Basically, you are borrowing GHO/DAI/USDe with locked USDT/C.” This is not a trading strategy.
This is a desperate move where they borrow money at a loss against their own money, accepting 75 cents on the dollar just to extract any liquidity from the system. Aave allows users to borrow up to 75% of the total loan value (LTV) of their deposited collateral, depending on the asset and its risk parameters.
“Users with USDT deposits can withdraw up to 3/4 of the value of their Aave positions at a maximum LTV of 75%. But this will ultimately reduce liquidity in other markets, and the USDC and USDe markets are also currently at 100% utilization,” said monetsupply.eth, head of pseudonym strategy at rival Spark.
For anyone looking at DeFi from the outside, the message is clear: “decentralized” does not mean “risk-free.”
