Aave maintains a $50 million insurance fund to absorb bad debt. However, this can't cover such a huge shortfall.
Aave faces approximately $200 million in bad debt after Kelp DAO bridge exploit
The Aave defi lending protocol is grappling with anywhere from $177 million to $236 million in bad debt after the Kelp DAO bridge exploiter used Aave to cash out their stolen rsETH. Rather than selling the tokens, the attacker used the rsETH as collateral to borrow wETH, leaving Aave stuck with the huge quantity of unbacked rsETH. Although Kelp and Aave both froze affected markets, the attacker had already cashed out. The attacker borrowed essentially all of the wETH available on the platform, leaving those who'd loaned those tokens unable to withdraw.
RaveDAO accused of pump-and-dump as token crashes 98%
Binance and BitGet have confirmed they are investigating allegations that RaveDAO orchestrate a pump-and-dump to push its RAVE token price from around $0.25 to more than $27 over the past few weeks, before the token price plummeted back down to $0.66. Concerns were first raised by blockchain investigator zachbxt, who called on the exchanges to investigate. He later wrote, "While it's good the exchanges responded, I find it unlikely this activity wasn't spotted internally before I raised it publicly."
RaveDAO describes itself as a "community-driven global rave powerhouse", and sells NFT tickets to rave events.
RaveDAO has denied any responsibility for the recent price movements, but did not address allegations of enormous token concentration with the project's team or large transfers to exchanges around the time of the price jump.
Kelp DAO bridge hacked for $292 million
An attacker stole 116,500 rsETH (restaked ether) from a blockchain bridge run by Kelp DAO. Based on prices at the time of the theft, the stolen tokens would be worth around $292 million — however, the attacker is likely to face challenges selling a quantity of tokens that amounts to 18% of rsETH's circulating supply.
When tokens are bridged from one chain to another, the tokens on the original chain are locked in the bridge smart contract while the token is used on the other chain, preventing its owner from double-spending the asset. With 116,500 locked rsETH now stolen, those using the token on other blockchains are now holding possibly unbacked tokens.
The rush for holders to offload their dubiously backed tokens is likely to worsen contagion throughout defi protocols, where those platforms could be left holding the bag. Some platforms, including Aave, Lido Finance, and Ethena, have paused markets involving rsETH to try to protect themselves.
This hack has set the new record for the largest defi hack in 2026, following the $285 million Drift exploit on April 1.