The Aave Shituation
What a $292M Hack Reveals About Who DeFi Really Protects
Another week, another hack and this week the largest DeFi hack of 2026 didn’t just drain a protocol, it drained the remaining confidence and hope of anyone who believed the system had been built to make a difference for the many, not the few, like usual.
A Protocol Already Under Strain
The hack did not happen to a healthy, unified protocol. It happened to one that had spent the previous six months quietly losing the people responsible for keeping it safe.
So let’s go through a bit of the background of what has been happening over at Aave in the last 6 months.
In December 2025, Ernesto Boado, co-founder of BGD Labs, the team that had spent four years building most of the protocol’s technical infrastructure, wrote a proposal asking that Aave’s brand assets, the domain, the social media accounts, the naming rights, be formally transferred from Aave Labs to the DAO itself.
The reasoning was simple: if Aave claims to be decentralised, the community should actually own the brand.
What happened next was pretty dodgy behaviour as Aave Labs submitted the proposal to a formal vote on December 22nd without telling the author, Boado. He found out publicly, called it “disgraceful,” as he had wanted the topic to be openly discussed, questions answered and the community able to make informed decisions for or against. Since this important step had been jumped over and ignored he urged the community to abstain rather than legitimise a vote he had never approved. The vote concluded on Christmas Day and this was seen as very symbolic as it meant that people, the very people that make up the organisation, were meant to focus on Aave instead of family and friends during the Christmas break.
The proposal failed, technically, but the damage was already done.
Critics, including Marc Zeller, founder of Aave Chan Initiative (ACI) a governance facilitation and lobbying organisation within the Aave ecosystem, one of the DAO’s most prominent delegates, described Aave Labs’ move as a “hostile takeover attempt.”
The irony is worth sitting with: a proposal designed to give more power to the community had been weaponised by the founding company to do the opposite, by forcing it to a vote at a moment when participation would naturally be lowest. Record numbers turned out anyway, mostly to abstain in protest, which said everything about where trust in Aave Labs stood by the time the calendar hit January.
BGD Labs announced in February that they would not renew their contract, the Aave Chan Initiative followed suit and then on April 6th, just twelve days before the hack, Chaos Labs, the risk management firm that had overseen Aave’s growth from $5 billion to $26 billion in deposits with zero material bad debt, announced it was leaving too.
Founder Omer Goldberg said the economics didn’t work, the complexity of managing both V3 and V4 simultaneously was underestimated, and most importantly, there was a fundamental disagreement with Aave Labs on how risk should actually be prioritised. He was the last remaining technical contributor from the team that had built and run V3 through three years of live markets.
When he left, that institutional knowledge left with him.
Just 12 days later, the hack happened.
The risk management team that had approved rsETH’s high-leverage e-mode parameters in January was not Chaos Labs. It was LlamaRisk, the firm that stepped in after the departures began.
Fingers cannot be pointed solely at LlamaRisk, who worked within the same template-based risk framework the whole industry uses, and whose collateral review did not cover bridge configuration. But perhaps the institutional knowledge that had already walked out of the door might have asked the harder questions.
What The Hack Actually Happened
To understand why this week hurt so much, we need to go back a couple of steps and understand what the products are here.
KelpDAO was (is) a liquid restaking protocol, that let’s you deposit crypto and earn staking rewards.
Aave is a decentralised lending protocol, where you can deposit crypto and borrow other crypto using your other crypto as collateral.
So let’s look at what restaking is and why it exists.
When you stake ETH, you lock it up to help secure the Ethereum network and earn a yield in return. The problem is that locked ETH is, by definition, not doing anything else. Liquid restaking protocols like KelpDAO solved this by issuing a receipt token, rsETH, that represents your staked position and can be used elsewhere, including as collateral on lending platforms like Aave. The pitch is simple: your ETH works twice, once when you earn staking rewards and again as you can still deploy your capital.
On April 18th, an attacker found a way to skip the first part entirely.
Using KelpDAO’s cross-chain bridge infrastructure, which relied on LayerZero’s messaging protocol to move rsETH between networks, the attacker forged a message that told the bridge a valid transfer of collateral had taken place when it hadn’t.
The bridge believed it and released 116,500 rsETH, worth roughly $292 million, to an attacker-controlled address. But no ETH was ever staked and these tokens were, in the most literal sense, printed from nothing.
The bridge was configured with what’s called a 1-of-1 DVN (Decentralised Verifier Network) setup, where the system checks whether a cross-chain message is legitimate before acting on it.
In a 1-of-1 configuration, only a single verifier needs to sign off, so there is no second opinion, no double checks, no backstop.
When the Lazarus Group, the North Korean state-backed hacking collective believed to be responsible, gained access to the node running that single verifier, they had everything they needed.
One compromised node. One forged signature. $292 million. Poof… gone!
LayerZero’s own documentation had flagged that 1-of-1 configurations were NOT recommended, however their own quick start guide and default GitHub configuration pointed to exactly that setup.
With around 40% of protocols using LayerZero using the same configuration, this detail that matters a fuck of a lot and shouldn’t just be glossed over.
The Aave Shituation.
The Safety Net was Holier than a Fishing Net
The attacker’s next move was stunning in it's simplicity.
They took their freshly minted rsETH and deposited it into Aave, DeFi’s largest lending protocol, as collateral. Then they borrowed REAL ETH against it and because Aave had enabled rsETH in what’s called e-mode, (as mentioned in the first section of this article) the attacker could borrow up to 93% of the face value of their deposited tokens, normally only 85% can be borrowed, but when we are talking these numbers does tens of millions really matter…
So, real ETH, borrowed against worthless tokens backed by nothing.
As soo as the exploit was picked up Aave froze rsETH markets on both V3 and V4 and Founder Stani Kulechov (net worth approx. 500 million) confirmed that Aave’s own smart contracts had not been compromised.
While this is technically true, the distinction between “our code wasn’t hacked” and “our users are fine” is one that the people with locked funds were not in a position to appreciate, and is a telling sign of how Aave is approaching this shituation.
When news of the exploit spread, the largest wallets moved first as the whales jumped in and cleaned out what they had in Aave, Justin Sun, the Tron founder, withdrew billions, MEXC exchange withdrew billions and within 24 hours, more than $6 billion had left Aave.
This is called a bank run.
The ETH lending pool hit 100% utilisation, meaning every ETH that had been deposited had now been borrowed out, and there was nothing left to withdraw.
Then the same thing happened to USDC followed by USDT.
At 100% utilisation, withdrawals are processed in real time, block by block, as new deposits or repayments trickle in. Technically sophisticated participants running automated scripts can catch those windows. Anyone using a standard wallet, navigating manually, is permanently at the back of the queue. The people most likely to be at the back of that queue are the regular depositors. The ones who put in a few thousand dollars of stablecoins to earn a yield because they’d read that Aave was battle-tested and safe.
So once again, the retail users, the small holders, the real people, who put in a few hundred or thousand here and then, who the industry cries out for and desperately wants to return to support their extractive systems, are the one’s left holding worthless bags of crap.
When CoinDesk reached out to Kulechov for comment during the period when Aave’s main markets were locked at 100% utilisation, he responded that he had “nothing useful to say.”
That pretty much sums up what most of the crypto bros have to say.
NOTHING USEFUL
The potential bad debt on Aave now sits somewhere between $123 million and $230 million, depending on how KelpDAO allocates the shortfall across rsETH holders.
Aave’s own risk service providers have stated they cannot yet give a definitive answer on what depositors will actually lose, however since generated nearly $900 million in fees in 2025, surely they will be able to make their customers whole…
The Question Nobody in the Governance Meeting Asked
The piece of this story that deserves the most attention is perhaps not the hack itself, but the series of decisions that turned a bridge exploit on one protocol into a bank run on another, and why nobody in the governance process caught it.
In January 2026, Aave governance voted to add rsETH to e-mode, the high loan-to-value mode that allowed the attacker to borrow so much real ETH against their fake collateral.
The governance proposal framed it as a revenue opportunity: rsETH was already a proven collateral asset, demand for ETH leverage strategies was strong, and enabling e-mode would unlock “yield maximising loops” that would drive borrowing revenue.
And as per usual the incentives were clear and the benefits were well-articulated, but what was not in the risk analysis was any assessment of the LayerZero bridge configuration that rsETH depended on. The template used for collateral risk covered issuer centralisation, oracle risks, and smart contract audits. It did not cover bridge or messaging layer configuration.
Nobody asked whether the infrastructure connecting rsETH across chains had a single point of failure.
The answer, had anyone asked, was that it did.
But asking uncomfortable questions is not really how crypto governance works in practice. The people closest to power, the delegates, the service providers, the governance participants, all have a financial interest in staying in the room. You do not keep your seat at the table by being the person who slows things down, questions the revenue opportunity, or tells the founder his risk template has a gap in it. So the questions do not get asked, the templates do not get updated, and the yield maximising loops get approved. The yes men get paid. The regular depositor gets the bill.
This is not about one bad actor, it is about a system that evaluated risk through a template, approved a high-leverage mode for an asset with hidden infrastructure dependencies, and then left regular depositors to absorb the consequences when those dependencies failed.
The governance participants who voted for e-mode were not malicious, however the people who had no vote, no automation scripts, and no way to exit before the doors locked were the ones who paid for the decision.
The original version of DeFi lending, like MakerDAO, only accepted ETH as collateral, the real ETH, not some wrapped up crap.
Accepting a wider range of collateral brings more utility, and more revenue. But it also means accepting a longer chain of dependencies that most users, and apparently most risk assessors, cannot trace all the way to the end.
When you deposit USDC on Aave to earn interest, you are, without being told, also taking a position on the security of KelpDAO’s LayerZero bridge configuration, a fact that doesn’t appear anywhere in the user interface.
The Point to Ponder
I want to be careful here not to end with a verdict, as the shituation is far from being settled.
DeFi is a genuine experiment in building financial infrastructure supposedly without gatekeepers, and that experiment is worth taking seriously even when it produces weeks like this one.
But this week raised a question I keep coming back to.
If the people with the most capital can always move fastest, and the governance process optimises for yield and revenue, and the risk templates do not cover the full chain of dependencies, and the founder has “nothing useful to say” when the system is frozen: then who, exactly, is this built for?
The technology is not the problem.
The 1-of-1 DVN issue was known, the e-mode risk was assessable, the dependency chain from USDC deposit to LayerZero bridge was traceable.
The problem is that knowing these things required time, expertise, and attention that regular participants are not expected to have, and that the people responsible for risk management apparently did not apply either.
What comes next will be telling as how KelpDAO allocates the losses really matters.
Whether Aave’s Umbrella safety module covers the bad debt matters.
Whether governance draws the right lessons, rather than just tightening the collateral templates and moving on, matters most of all.
In the meantime, the most honest thing I can tell you is this: understand your full chain of dependencies before you deposit anything anywhere.
Not just the protocol you can see but everything it touches.
That is harder than it should be, and close to impossible for a retail use, but right now, it is the only protection the little guy actually has.
Be Kind, Be Curious, Be Careful.
Footnote:
These days people write all sorts of things and it is difficult to know what is good information and what isn’t. When writing I research my topics and provide links to where I have found the information so that you can double check what I am writing is true.
Primary Sources Worth Bookmarking
LayerZero Official Incident Statement
LayerZero’s full account of the attack vector and attribution to Lazarus Group
Aave Governance: rsETH Incident Report
Aave’s official post-mortem, bad debt estimates, and recovery scenarios
Aave Governance: rsETH Incident Thread
Real-time governance response from April 18
CoinDesk: KelpDAO Exploit Overview
Comprehensive overview of the exploit and immediate fallout
CoinDesk: Kelp vs LayerZero
Blame Both sides of the 1/1 DVN dispute
CoinDesk: Aave Liquidity Crunch
The mechanics of the bank run and 100% utilisation
TheStreet: Why I Withdrew From Aave
Excellent plain-language walkthrough of how e-mode amplified the damage