The aftershocks of Saturday’s KelpDAO hack are spreading through the stablecoin markets in ways that were not immediately apparent.
According to data from Chaos Labs, users on Aave borrowed approximately $300 million against their tether deposits from stablecoin tether on the platform in the first 24 hours after the attack.
The credit spike is not a sign of demand; it is a sign that users cannot opt out. With stablecoin pools at their maximum, savers are taking loans against their own funds at a loss just to access liquidity.
Think of it this way: imagine a bank refuses to process customer withdrawal requests. So out of desperation, customers take out loans on these deposits. This credit creation is not healthy, but a desperate attempt for liquidity.
“We are now seeing some negative secondary effects of illiquidity in the Aave stablecoin markets,” said monetsupply.eth, the pseudonymous head of strategy at Spark, a rival DeFi lending platform. “Because users cannot withdraw due to 100% occupancy, there is an increase of ~$300 million in loans with $USDT collateral in the last day since the rsETH exploit.”
To understand how a single exploit on KelpDAO ended up blocking every stablecoin outlet on Aave simultaneously, you need to understand how the system is supposed to work – and exactly where it broke.
What is Aave and how it should work
Aave is a decentralized finance protocol (DeFi) that allows users to lend and borrow cryptocurrencies without intermediaries. Think of it like a bank, only it runs entirely on code on a public blockchain, without human gatekeepers.
Users deposit assets into credit pools and earn interest. Others borrow from those same pools by posting crypto assets as collateral, which exceeds the loan amount. The system is designed to automatically correct itself through interest rates. When many people want to borrow, interest rates rise, making borrowing more expensive and encouraging lenders to deposit more. When demand drops, rates drop.
The entire system works on one core assumption: that there is always enough liquidity – enough assets in the pool – so that lenders can withdraw their deposits when they want, and that borrowers can unwind their positions when necessary.
If that assumption fails, everything else breaks with it. That’s what happened after the KelpDAO exploit.
rSETH and the KelpDAO exploit
rsETH is a liquid resployment ether token issued by KelpDAO.
When you stake ether ($ETH), you lock it up to help secure the Ethereum network in exchange for a return, similar to earning interest on a bond. Some protocols issue a liquid staking token (LST) that represents your stake $ETH.
Redeploying takes this a step further, reusing already deployed assets to secure additional systems, effectively stacking return on return. In return, you will receive a receipt representing your position. rsETH is one such receiving token and is widely used as collateral in the DeFi world.
On April 18, an attacker manipulated KelpDAO’s bridge infrastructure to release 116,500 rsETH – approximately 18% of the token’s circulating supply, worth approximately $292 million. These fake tokens with no backup were immediately deposited into lending protocols, usually Aave, to lend real tokens $ETH and other assets such as wrapped ether (wETH) against them. Fake tokens in, real money out.
“That [borrowed] LAW is gone. The rsETH taking its place in the vaults is worth what an unsupported claim is worth – almost zero on the L2 side, where more than 20 chains bridge the rsETH, backed by a now empty mainnet lockbox,” said 0xyanshu, a pseudonymous crypto operator known for his work around on-chain finance and risk.
Aave froze the rsETH markets on V3 and V4 within hours, with founder Stani Kulechov confirming that the exploit was external and that Aave’s contracts had not been compromised. That freeze stopped the bleeding. But it also set off the chain reaction that caused the $300 million borrowing boom.
How $300 Million in Loans Happened in One Day
When the exploit news broke, whales and major funds withdrew billions of dollars worth of cryptocurrencies from Aave’s liquidity pools within hours. Because they moved first and in large numbers, their withdrawals depleted liquidity pools.
“When the rsETH exploit happened and $AAVE have incurred bad debts, whales like Justin Sun, MEXC Exchange and others have immediately withdrawn billions $AAVE‘, analyst Duo Nine said in an explanation. ‘At first the $ETH the market reached 100% occupancy, meaning you couldn’t withdraw your account $ETH by $AAVE.”
This soon spread to $USDT And $USDC pools, increasing their occupancy rates to 100% as more than $6 billion in assets left the protocol within hours. Each lending pool has a fixed amount of assets deposited by users. When every dollar of these assets has been borrowed, there is nothing left for withdrawals.
“That’s because $AAVE has lost more than $6 billion in liquidity in the last 24 hours,” wrote Duo Nine. “When the whales took their money out, $USDT And $USDC also achieved an occupancy rate of 100%. These markets are now also stuck with money locked up.”
This is when the $300 million secondary lending wave began.
Captured $USDT And $USDC savers, unable to simply withdraw their money, looked for the only exit available to them. They started taking out loans from their blocked deposits.
“Some users decided against borrowing $USDT/$USDC and exit through other markets at a loss of 10-25%,” explains Duo Nine. “Basically you borrow GHO/DAI/$USDe against your lock $USDT/C.” It wasn’t a trading strategy.
It was a desperate act of borrowing at a loss with their own money, accepting 75 cents on the dollar, just to take liquidity out of the system at all. Aave allows users to borrow up to 75% of the total loan-to-value (LTV) of their posted collateral, depending on the asset and its risk parameters.
“With a maximum LTV of 75%, users are stuck $USDT deposits can take up to 3/4 of the value of their Aave position. But this ultimately leads to a reduction in liquidity in other markets $USDC And $USDe markets are also now at 100% leverage,” noted monetsupply.eth, the pseudonymous head of strategy at Spark, a rival DeFi lending platform.
For anyone looking at DeFi from the outside, the message is clear: “Decentralized” does not mean “risk-free.”