A $300 million borrowing spike on Aave signals liquidity crunch after exploit

The aftershocks of the Saturday’s KelpDAO hack are spreading through stablecoin markets in ways that were not immediately obvious.

Int he first 24 hours post the attack, users on Aave borrowed approximately $300 million against their tether deposits of stablecoin tether USDT$1.0002 on the platform, according to Chaos Labs data.

The borrowing spike isn’t a sign of demand; it is a sign users can’t withdraw. With stablecoin pools maxed out, depositors are taking loans against their own funds at a loss just to access liquidity.

Think of it this way: Imagine a bank refusing to process customer fiat deposit withdrawal requests. So, out of desperation, customers take out loans on these deposits. This credit creation isn’t healthy, but a desperate move for liquidity.

“We’re now seeing some negative secondary effects of illiquidity in Aave stablecoin markets,” said monetsupply.eth, the pseudonymous head of strategy at Spark, a rival DeFi lending platform. “Because users can’t withdraw due to 100% utilization, there has been a ~$300 million increase in borrowing with USDT collateral in just the past day since the rsETH exploit.”

To understand how a single exploit on KelpDAO ended up locking every stablecoin exit on Aave simultaneously, you need to understand how the system is supposed to work — and exactly where it broke.

What is Aave and how it’s supposed to work

Aave is a decentralized finance (DeFi) protocol that enables users to lend and borrow cryptocurrencies without intermediaries. Think of it as a bank, except it runs entirely on code on a public blockchain, with no human gatekeepers.

Users deposit assets into lending pools and earn interest. Others borrow from those same pools by posting crypto assets as collateral, which exceeds the loan amount. The system is designed to self-correct automatically through interest rates. When lots of people want to borrow, rates rise, making borrowing more expensive and encouraging lenders to deposit more. When demand falls, rates drop.

The whole system operates on one core assumption: that there is always enough liquidity – enough assets in the pool – for lenders to withdraw their deposits when they want to, and for borrowers to unwind their positions when they need to.

When that assumption breaks down, everything else breaks with it. That’s what happened after the KelpDAO exploit.

rsETH and the KelpDAO exploit

rsETH is a liquid re-staking ether token issued by KelpDAO.

When you stake ether (ETH), you lock it up to help secure the Ethereum network in exchange for a yield, similar to earning interest on a bond. Some protocols issue a liquid staking token (LST) that represents your staked ETH.

Re-staking goes a step further, reusing those already-staked assets to secure additional systems, effectively stacking yield on yield. In return, you receive a receipt token representing your position. rsETH is one such receipt token and it has been widely used as collateral across the DeFi world.

On April 18, an attacker manipulated KelpDAO’s bridge infrastructure into releasing 116,500 rsETH — roughly 18% of the token’s circulating supply, worth approximately $292 million. These fake, unbacked tokens were immediately deposited into lending protocols, mostly Aave, to borrow real ETH and other assets such as wrapped ether (wETH) against them. Fake tokens in, real money out.

“That [borrowed] WETH is gone. The rsETH holding its place in the vaults is worth whatever an unbacked claim is worth — approaching zero on the L2 side, where 20+ chains held bridged rsETH backed by a now-empty mainnet lockbox,” 0xyanshu, a pseudonymous crypto operator known for work around on-chain finance and risk, said.

Aave froze rsETH markets on V3 and V4 within hours, with founder Stani Kulechov affirming the exploit was external and Aave’s contracts were not compromised. That freeze stopped the bleeding. But it also set off the chain reaction that produced the $300 million borrowing surge.

How $300 million in borrowing materialized in a single day

When the exploit news broke, whales and big funds withdrew billions of dollars worth of cryptocurrencies from Aave’s liquidity pools within hours. Because they moved first and in large numbers, their withdrawals drained liquidity pools.

“When the rsETH exploit happened and AAVE incurred bad debt, whales like Justin Sun, MEXC exchange, and others immediately withdrew billions from AAVE,” analyst Duo Nine, said in an explainer. “Initially, the ETH market hit 100% utilization, meaning you could not withdraw your ETH from AAVE.”

This soon spread to USDT and USDC pools, raising their utilization rates to 100%, as over $6 billion in assets left the protocol within hours. Every lending pool holds a fixed amount of assets deposited by users. When every dollar of those assets has been borrowed out, nothing remains for withdrawals.

“That’s because AAVE lost over $6 billion in liquidity in the past 24h,” Duo Nine wrote. “As whales took out their money, USDT and USDC also hit 100% utilization. These markets are now also stuck with money locked.”

This is when the $300 million secondary borrowing surge began.

Trapped USDT and USDC depositors, unable to simply withdraw their money, reached for the only exit still available to them. They began by drawing loans from their locked deposits.

“Some users decided to borrow against USDT/USDC and exit via other markets at a 10-25% loss,” Duo Nine explained. “Basically you borrow GHO/DAI/USDe against your locked USDT/C.” It was not a trading strategy.

It has been a desperate act of borrowing against their own money at a loss, accepting 75 cents on the dollar, just to extract any liquidity from the system at all. Aave allows users to borrow up to 75% of the total loan-to-value (LTV) of their deposited collateral, depending on the asset and its risk parameters.

“With a 75% max LTV, users with stuck USDT deposits can take out up to 3/4 of the value of their Aave position. But this ends up reducing liquidity in other markets, with USDC and USDe markets now at 100% utilization as well,” monetsupply.eth, the pseudonymous head of strategy at Spark, a rival DeFi lending platform, observed.

For anyone watching DeFi from the outside, the message is clear: “Decentralized” does not mean “without risk.”