One of the largest decentralized lending protocols, Aave, has been gripped by panic as users find themselves unable to withdraw billions of dollars in crypto assets after liquidity in all major lending pools was exhausted. The crisis follows a recent exploit of the Kelp DAO rsETH bridge.
How the crisis began
The situation unfolded on April 18, when attackers exploited the Kelp DAO’s rsETH bridge by generating fraudulent cross-chain messages, allowing them to mint unsecured rsETH tokens. These tokens were then used as collateral on Aave to borrow approximately $200 million worth of WETH. This maneuver netted the attackers an advantage estimated at $292 million on-chain. As word of the incident spread rapidly among DeFi users, a classic “bank run” scenario ensued, resulting in $6.6 billion of crypto assets being withdrawn from Aave within a short period.
The near-total depletion of protocol liquidity led to substantial amounts of crypto assets becoming immobile. Notably, pools for leading stablecoins—USDT and USDC—saw around $5 billion frozen, making withdrawals by users impossible for these assets.
What does “100% utilization” mean?
DeFi analyst Warhol described such a crisis as extremely rare for Aave. Reaching 100% utilization across all markets effectively halts the protocol, as no liquidity remains for further operations. Without fresh liquidity, the protocol cannot function, and currently, this is unachievable. Warhol especially highlighted the $3 billion USDT and $2 billion USDC now trapped in the system with no “clean exit path” for users.
The analyst warned that any price volatility would worsen the situation, since there is no mechanism to absorb bad debt. Furthermore, with liquidations currently impossible, the protocol has become more vulnerable, increasing the risk of further losses.
Natalie Newson, a senior blockchain security researcher at CertiK, emphasized the escalating risks. She pointed out that internal defense mechanisms have been sidelined, meaning unsecured positions cannot be closed without sufficient liquidity, causing bad debt to accumulate rapidly.
Newson added that this was not the result of a direct cyberattack on Aave, but rather a cascading effect from an exploit in a bridge protocol. She noted the incident demonstrates how a vulnerability in one part of the decentralized finance sector can quickly impact the entire ecosystem.
Community and founder responses
Aave’s founder, Stani Kulechov, told CoinDesk that he currently has no concrete comments to share. Back in 2020, then-risk manager Alex Bertomeu-Gilles had foreseen a scenario where, in the case of 100% utilization, depositors would be unable to withdraw funds, and Aave had prepared relevant risk management frameworks.
Analyst Duo Nine was among the first to identify the problem in the system. It is noted that the crisis was triggered by massive withdrawals from major players, including Justin Sun and the crypto exchange MEXC. Withdrawals were first halted in the ETH market, followed by freezes in USDT and USDC pools. Within hours, a total of $6 billion worth of assets was extracted from the protocol.
Analyses indicate that most of the capital movements in the protocol were driven by large investors, which left retail participants particularly disadvantaged during the liquidity crunch.
The episode has highlighted that, despite high efficiency in DeFi, dependencies between different protocols can introduce systemic risk. Experts point out that when a key platform like Aave faces strain, it can have a domino effect across the entire chain.
