How a KelpDAO rsETH Exploit Knocked Aave From the Top of DeFi TVL Rankings

Nearly a month after the roughly $292 million KelpDAO rsETH exploit, Aave has shed about 44% of its total value locked, and Lido has moved ahead of it as the largest protocol by TVL in DefiLlama’s rankings.

The decline underscores how a breach at one protocol can spread through decentralized finance when the affected token is widely used elsewhere. In this case, KelpDAO’s rsETH, a liquid restaking token, was exploited on April 18, and a large share of the stolen tokens was then parked on Aave, one of DeFi’s biggest lending platforms, as collateral. That forced emergency risk controls on Aave and added to a broader round of withdrawals across the sector.

DefiLlama data referenced in market reporting showed Aave at about $26.4 billion in TVL on or around April 18. By May 17, DefiLlama showed Aave at about $14.78 billion. That is a drop of roughly 44%. On the same date, DefiLlama showed Lido at about $19.35 billion, putting the liquid staking protocol ahead of Aave in the site’s protocol rankings. TVL, or total value locked, is a common DeFi measure of assets deposited in a protocol, though methodologies vary by data provider.

The trigger for the disruption came on April 18 at 17:35 UTC, on Ethereum block 24,908,285, when a forged LayerZero cross-chain packet released rsETH from KelpDAO’s Ethereum adapter. The attacker obtained 116,500 rsETH, worth about $292 million at the time.

Incident reports said the root cause was not a coding flaw in Aave or KelpDAO’s core smart contracts. Instead, it was an off-chain verification failure in the LayerZero route KelpDAO was using. According to the Aave and LlamaRisk incident report posted to Aave Governance, “On 2026-04-18 at 17:35 UTC (Ethereum block 24,908,285), an attacker exploited Kelp’s LayerZero V2 Unichain to Ethereum rsETH route, which was configured as a 1-of-1 DVN.” In plain terms, the route depended on a one-verifier setup, and compromised or poisoned remote procedure call nodes helped a forged message get accepted.

That mattered to Aave because most of the stolen rsETH did not stay isolated at KelpDAO. “Of the 116,500 rsETH received by the attacker, 89,567 were deposited on Aave,” the same incident report said. The attacker then borrowed WETH and wstETH against that collateral, according to Aave’s report.

Aave’s Guardian and risk team responded by freezing rsETH and wrsETH reserves across affected deployments and adjusting risk parameters to limit further contagion. Aave and risk adviser LlamaRisk modeled potential bad debt of about $123.7 million to $230.1 million, depending on assumptions used in the analysis.

The episode became a test of DeFi’s composability, or the way protocols plug into each other. A cross-chain verification failure at one venue fed directly into a major lending market because rsETH had already been integrated as collateral. Several market and on-chain analyses also reported broad DeFi withdrawals in the immediate aftermath, with aggregate sector TVL falling by roughly $10 billion to $13 billion over 48 hours.

Lido’s move back to the top of DefiLlama’s rankings reflects that reshuffling of deposits as much as it does any change in its own core product. Lido’s main stETH and wstETH liquid staking products were described as unaffected by the rsETH exploit, though it paused deposits to its EarnETH vault because that product had rsETH exposure.

Some forensic firms and LayerZero have preliminarily attributed the attack to the DPRK-linked Lazarus Group, but that remains intelligence attribution, not a judicial finding. For now, the clearer takeaway is market structure: a single off-chain verification failure was enough to hit KelpDAO, pressure Aave and change the top of DefiLlama’s TVL leaderboard.