•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Less than a day after attackers drained $291 million in crypto from infrastructure linked to decentralized finance project Kelp DAO, users on Aave, one of DeFi’s most established lending protocols, struggled to withdraw funds amid a liquidity crunch.
A bridge that typically allows users to move rsETH, a token associated with Kelp DAO, from one network to another was exploited on Saturday. In response, Aave froze markets tied to the token after attackers used rsETH-linked activity to borrow funds from the platform, according to the lending protocol’s post on X.
At the same time, Kelp DAO said it had paused rsETH contracts across Ethereum’s mainnet and several layer-2 networks while it investigates suspicious activity.
Blockchain security firm PeckShield flagged a transaction about an hour before Aave locked down the markets, showing 116,500 rsETH flowing to a fresh wallet. At the time, the rsETH was valued at $291 million.
Aave’s data showed the utilization rate of a core lending pool spiked to 100% after the exploit. The surge left users who had previously deposited Ethereum and wrapped Ethereum with little to no liquidity available for withdrawals.
As withdrawals became difficult, some users began borrowing against their deposits in stablecoins, further straining liquidity. A post by monetsupply.eth described this as “negative secondary effects.”
According to Francesco Andreoli, head of developer relations at Consensys and MetaMask, the attackers did not abscond with rsETH that had been maliciously released from the bridge. Instead, he said they used Aave to borrow regular funds, creating “massive bad debt.”
Aave’s governance token fell to $90.13 on Sunday, a 16% decline over the prior day, according to CoinGecko. Over the same period, Ethereum fell 2% to $2,300.
Even protocols not directly affected by the Kelp DAO incident saw a wave of withdrawals, according to 0xngmi, the pseudonymous co-founder of data provider DefiLlama. On a net basis, users withdrew $6.2 billion from Aave alone by early Sunday, the post said.
“The Aave situation is bad and getting worse. Multiple other pools are hitting 100% utilization, leaving lenders stuck and the protocol at risk of further bad debt. Lending rates have increased to 10-15%, a notable increase but still not an appropriate reward for the perceived risks.”
As the situation spread, Plume general counsel Salman Banei said the latest DeFi exploit provides “a lot of ammo” for critics who question systems designed to replace traditional financial intermediaries with code.
Kelp DAO issues rsETH, a liquid staking token that allows users to earn Ethereum staking and EigenLayer restaking rewards. It functions as a tradeable “receipt” for Kelp DAO depositors. The Kelp DAO bridge was built on infrastructure designed by LayerZero, which enables DeFi applications to send messages and transfer assets across blockchains.
Blockchain researcher Stacy Muur said the exploit appeared to rely on a single point of failure. She wrote that a “phantom” message used by attackers tricked Kelp DAO’s bridge into releasing rsETH on Ethereum without removing a corresponding amount of tokens from circulation on Ethereum layer-2 Unichain.
Some observers looked for a path forward, including crypto entrepreneur and Tron founder Justin Sun. He attempted to negotiate, arguing that attackers would struggle to spend the stolen funds.
In an X post, Sun asked, “How much [do] you want?” and added: “It’s simply not worth it to sacrifice both Aave and Kelp DAO and let them go down over this hack.”
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
