On April 19th, a hacker drained $292 million from Kelp DAO by tricking a cross-chain bridge into accepting a fraudulent instruction. Within hours, the stolen tokens — rsETH, a liquid restaking asset — were deposited into Aave as collateral for real loans. Depositors recognised the problem and started pulling funds. The Aave exploit that followed drained $8.45 billion in 48 hours. Total DeFi TVL fell $13.21 billion in two days. @CryptoVantaa summarised the mood on X the following morning:
“DeFi is dead: don't bother with it, don't deposit anywhere, 'just use Aave' is dead, off-ramp and at best park with ibkr or coinbase.”
Stani Kulechov, Aave’s founder, posted: “Aave is my life’s work. I’m working to see this resolved and market conditions normalised as soon as possible.”
I’ve been structuring deals in digital assets since 2016. When something goes wrong in this market — and it does, repeatedly — the question that determines outcomes is always the same: what did the document say before this happened?
The Kelp exploit was not a smart contract bug. Neither was the $285 million drained from Drift Protocol on April 1st. That attack — attributed to North Korea’s Lazarus Group by Elliptic, TRM Labs, and LayerZero — involved three weeks of social engineering to compromise Drift’s Security Council signers, followed by a 12-minute drain using pre-signed transactions the attackers had quietly staged in advance. No code was broken. The people running the protocol were. Together, Drift and Kelp account for $578 million of April’s $606 million total. Lazarus drained more from DeFi in 18 days than the entire sector lost in the preceding three months combined.
Both events triggered the same response: human teams making discretionary calls at speed. Aave froze its rsETH markets. Arbitrum’s Security Council froze over $70 million in stolen ether. Aave, Lido, and EtherFi then assembled “DeFi United,” a $160 million coordinated bailout to recapitalise rsETH. The tools were governance forums, emergency multisigs, and founder appeals on X — not the protocol mechanics that users had been told would handle exactly this kind of situation.
On-chain data confirms the withdrawal. According to Dune Analytics, Aave’s unique borrowers fell 31% in April compared to March — from 37,000 to 25,000 — while borrow volume dropped 28%, from $13.2 billion to $9.5 billion. Across all DeFi lending, unique borrowers fell 35%. As one widely circulated post described it in real time: “ETH depositors cannot withdraw the ETH so they are borrowing stables to ‘withdraw’ funds… This is a full on run on AAVE.”
One protocol held. Spark, MakerDAO’s lending arm, saw borrow volume nearly triple in April — from $1.1 billion to $2.8 billion. Spark had delisted rsETH in January. When Aave’s ETH withdrawal queues backed up, Spark’s remained clear. The rotation was immediate and visible on-chain: $1 billion in TVL moved over a single weekend.
Dune Analytics · On-chain data through April 27, 2026
The April exodus: DeFi lending by the numbers
Aave borrowers
−31%
37k → 25k (Mar–Apr)
Aave borrow vol.
−28%
$13.2B → $9.5B
All DeFi borrowers
−35%
64k → 41k (Mar–Apr)
Spark borrow vol.
+163%
$1.1B → $2.8B
Monthly borrow volume — USD billions
Unique borrowers — thousands
* April covers transactions through April 27, 2026
The rsETH position that caused the damage had been building for weeks. By mid-April, Aave held nearly 580,000 rsETH tokens — roughly $1.3 billion — accumulated by users running looping strategies: deposit rsETH, borrow ETH, swap for more rsETH, repeat. The same pile of assets counted multiple times in the TVL figure, inflating on the way up and unwinding in hours. As of early April, Aave was paying 2.61% APY on USDC deposits. Interactive Brokers was paying 3.14% on idle cash. Users running leveraged restaking loops on Aave were earning more than 2.61%, but the yield came from the leverage — and the leverage sat on top of a bridge with a single-verifier configuration that LayerZero had previously flagged as inadequate.
The structure I work with closes differently. At signing, the agreement names the collateral, the market value at closing, the loan amount, the margin call threshold, and the enforcement sequence. Every one of those parameters is fixed — they don’t change if a bridge gets compromised, if a governance vote fails, or if a founder needs to post reassurances overnight. If collateral value falls to the margin call level, both parties already know what happens next because they agreed to it before the loan funded.
US-listed spot Bitcoin ETFs recorded nine consecutive days of net inflows totaling $2.1 billion since mid-April. BlackRock’s IBIT took $1.6 billion of that. Each of those dollars went into a structure with a prospectus, a custodian, a daily NAV calculation, and SEC-filed redemption mechanics. The documentation preceded the capital, not the crisis.
The capital that left following the Aave exploit is looking for somewhere to go. Some will return to DeFi when configurations are hardened and collateral frameworks are tightened. The portion that won’t is the portion that spent April asking what, exactly, it had been trusting — and found that the answer was a set of assumptions that held… until a single RPC node was poisoned in the right sequence.
Audrey R.
- Audrey R. leads institutional origination at Obsidian, which structures bilateral digital asset lending through JTSA.
- On-chain data from Dune Analytics, queried April 27, 2026.
- ETF flow data via SoSoValue.
- Yield data via DefiLlama and Interactive Brokers published rates, early April 2026.