DeFi attack wipes $292M as Aave sees $10B exit

A major DeFi attack has wiped $292 million and triggered about $10 billion in withdrawals from Aave. The exploit centered on a LayerZero–KelpDAO vulnerability that let an attacker mint 116,500 unbacked rsETH tokens. About 90,000 rsETH were posted on Aave as collateral, enabling borrowing of roughly $190 million in ETH and other assets. As DeFi users rushed to withdraw, market stress spread quickly. Total value locked (TVL) across DeFi fell from nearly $15B to $10B, and Aave reported an rsETH collateral “hole” of over 112,000 tokens. In response, major protocols launched “DeFi United” to stabilize the system and restore confidence in rsETH. Lido Labs proposed 2,500 stETH (about $5.7M) for the recovery fund. EtherFi proposed an additional rescue package of 5,000 ETH, and Aave founder Stani Kulechov pledged 5,000 ETH. On fund recovery, part of the stolen assets was tracked to Arbitrum, where an Arbitrum security council froze 30,766 ETH (~$71M). Other funds were routed via Thorchain to BTC, complicating direct retrieval. Current priorities focus on recapitalizing rsETH rather than immediately chasing all stolen funds. For traders, this DeFi attack raises near-term liquidity and risk-management concerns around lending markets and cross-chain infrastructure, while the multi-protocol rescue may reduce tail risk if execution holds.