How a $300m hack unleashed a $9b drain from world's top crypto lender

Dubai: A nearly $300 million hack targeting a little-known crypto project has cascaded into a broader crisis of confidence across digital-asset markets, triggering billions of dollars in withdrawals from one of the sector’s largest lending platforms and prompting an industry-backed rescue effort.

The exploit, which targeted infrastructure linked to Kelp DAO, resulted in the theft of a derivative form of Ether known as rsETH. The attack focused on a cross-chain bridge developed by LayerZero, a type of software widely viewed as one of the most vulnerable components in the crypto ecosystem.

Security researchers including PeckShield and Cyvers said the scale and sophistication of the exploit suggest the involvement of North Korea-linked hacking groups. The attackers were able to generate approximately 116,500 rsETH tokens that were not backed by underlying assets, undermining confidence in their value.

Collateral shock spreads

What followed diverged from the typical pattern seen in past crypto breaches. Instead of rapidly laundering or liquidating the stolen funds, the attackers deployed a large portion of the tokens within decentralized lending markets. According to PeckShield, roughly $200 million worth of rsETH was deposited onto Aave and used as collateral to borrow other cryptocurrencies, with total borrowing estimated at about $236 million.

That decision triggered widespread concern among Aave users over the quality of the collateral supporting those loans. Uncertainty over whether rsETH remained fully backed — or had effectively been created without real assets — raised questions about who would ultimately bear losses.

The reaction was immediate. Data from DefiLlama shows Aave recorded roughly $9 billion in net outflows in the days following the hack, with total value locked on the platform dropping by more than a third to around $17.5 billion. In some estimates, total withdrawals approached $10 billion as users rushed to exit positions.

Run on liquidity

Market participants described the episode as the decentralized-finance equivalent of a bank run. Pratik Kala, a portfolio manager at Apollo Crypto, said users prioritized withdrawing funds over assessing risks as uncertainty spread. “Depositors are running because Aave is carrying a hole it did not create,” Kala said. “Withdraw first, ask questions later is the golden rule.”

Aave said in a post on X that its analysis showed rsETH circulating on the Ethereum blockchain remained fully backed, while confirming that markets for the token had been frozen as a precaution. The platform did not immediately respond to further requests for comment.

Even as withdrawals accelerated, efforts began to stabilize the system. According to blockchain analytics firm Arkham, Aave and several major crypto firms coordinated a recovery initiative that has raised nearly $160 million to cover bad debt linked to the incident.

Rescue effort builds

The funding effort, which has not been formally announced, is aimed at restoring liquidity for the rsETH token and addressing losses tied to compromised collateral. Data from Arkham indicates that a significant portion of the funds — about 55,000 ETH, valued at roughly $127 million — came from the Aave and Mantle communities.

Stani Kulechov, founder of Aave, also contributed directly to the effort, pledging 5,000 ETH, worth approximately $11.7 million at current prices. His involvement underscores the level of internal support for stabilizing the protocol and containing broader fallout.

The central aim of the recovery plan is to eliminate the protocol’s damaged debt and rebuild confidence among users. By replenishing liquidity tied to rsETH, participants hope to ease market panic and prevent further contagion across interconnected platforms.

Risks laid bare

The episode has renewed scrutiny on structural vulnerabilities within decentralized finance, particularly in relation to cross-chain bridges. These systems, which facilitate asset transfers between blockchains, have repeatedly been targeted by attackers due to their complexity and the concentration of funds they handle.

The latest incident adds to a series of major exploits this year. In March, Drift Protocol suffered losses of roughly $270 million after an attacker exploited a feature known as “durable nonces,” highlighting risks that extend beyond conventional software bugs.

Together, the incidents point to persistent weaknesses in DeFi infrastructure and the potential for isolated breaches to trigger system-wide stress. In this case, the use of compromised tokens as collateral amplified the impact, turning a contained exploit into a broader liquidity crisis.