An account of the April 18โ19 cascade at Kelp, Aave, and their peers.
By David Martin ยท April 21, 2026
Over the course of two days in April, a single forgery at the edge of the crypto economy cost the largest lending protocol on Ethereum roughly six and a half billion dollars in deposits and left it holding nearly two hundred million dollars of loans that will not be repaid. The protocol itself โ Aave โ was not broken into. None of its contracts were compromised; its code worked exactly as designed. And yet it bled almost as surely as if it had been.
The story is worth understanding because the shape of the failure is familiar. It is a bank run, routed through software.
The Forgery
At the heart of the affair was a token called rsETH. It is a receipt โ nothing more. When a saver deposits one unit of ETH (the native currency of the Ethereum network) with a protocol called Kelp DAO, Kelp issues them one rsETH in return. The rsETH is a claim on that underlying ETH; it can be traded in markets, pledged as collateral against loans, and stacked with claims elsewhere. Behind the scenes, Kelp puts the underlying ETH to work and pays the saver an enhanced yield for the privilege. In the jargon of the industry it is a liquid restaking token; a warehouse receipt, the kind that banks and merchants have traded against for centuries.
The integrity of a warehouse receipt depends on one thing: that the warehouse contains what the paper says it contains. If the receipts outnumber the goods, the system is insolvent โ not in the sense that any single depositor cannot be paid, but in the sense that the first in line will be paid with the property of the last.
rsETH is issued on multiple blockchains, and to move it between them Kelp relies on a piece of software called a bridge. A bridge listens for a message on one chain ("a user has locked ETH here") and, upon verifying it, issues a corresponding token on another ("therefore issue rsETH to them over here"). Bridges are how crypto assets travel between otherwise isolated ledgers. They are also, as a category, the single most frequently and expensively hacked part of the ecosystem โ more than two and a half billion dollars have been drained from them over the past few years.
On April 18, an attacker compromised Kelp's bridge โ specifically the verification logic that decides whether a cross-chain message is legitimate. He caused the bridge to issue approximately 116,500 rsETH on one chain without anyone having deposited a single unit of ETH against it on the other. In effect, he forged warehouse receipts and walked out of the warehouse carrying them. The forgeries amounted to about eighteen percent of all rsETH in existence.
This is the first of two distinct events. No lender has lost a dollar yet. No contract outside Kelp's bridge has misbehaved. The damage, so far, is potential.
The Good-Faith Loan
The attacker now held a pile of tokens indistinguishable, on the chain, from legitimate rsETH. He walked them over to Aave โ the largest lending protocol in Ethereum โ and pledged them as collateral against a loan of real, unambiguously-backed ETH. He borrowed roughly $196 million worth. Then he exited through various exchanges and was gone within forty-six minutes.
From Aave's point of view, nothing improper had occurred. Its rulebook said rsETH was an accepted form of collateral. Its price oracle โ the automated feed that tells the protocol what a unit of rsETH is worth โ reported a figure consistent with the (now-inflated) supply. And what the industry calls the LTV math worked. LTV stands for loan-to-value, the ratio of how much you are borrowing against how much your collateral is worth. If you pledge a million dollars of collateral and the protocol permits you to borrow up to seventy percent of that, you may walk out with seven hundred thousand, and the books balance. The arithmetic was not wrong. The premise of the arithmetic was wrong: the collateral was not worth what the protocol believed.
At this point Aave had made a loan that was sound by its own rulebook, against collateral that would shortly be revealed to be partly counterfeit. That is the first kind of loss: bad debt, not exploit. When the smoke cleared, Aave would be holding worthless tokens against a real obligation of its own to the depositors who had funded the loan.
Discovery
On-chain analytics โ the public dashboards that track supply and flow across the Ethereum economy โ work in minutes. When the rsETH supply on one chain failed to match the ETH backing on the other, the discrepancy was visible to anyone who cared to look. Holders of real, legitimately-minted rsETH cared very much. They held paper meant to represent a claim on actual ETH, and they could now see, live, that the system was structurally insolvent. There was not enough ETH in the warehouse to honour all the receipts.
Here Kelp's own design worked against it. Like most such protocols, Kelp has a queue for redemptions โ a deliberately slow process of un-staking the underlying ETH that takes days. The delay is, in normal times, a feature: it prevents panicked withdrawals from forcing uneconomic unwinds of the yield strategies. In a crisis, it is the opposite. The ordinary front door was now jammed with every holder trying at once.
The Run, and a New Kind of Short
Locked out of redemption, the holders of real rsETH turned to the side door. They did what any creditor with a failing bearer instrument in his hand would do: they tried to trade it, at par, for something that would not fail. They went to Aave, to SparkLend, to Fluid, to Upshift โ all of which had accepted rsETH as collateral โ and they borrowed.
The mechanics of that borrowing deserve a moment's attention, because they produce a phrase that is counter-intuitive on first reading: these holders shorted their own collateral.
Consider an ordinary case. You own a house and you believe it is about to lose half its value. You cannot sell quickly enough to avoid the fall. So you go to the bank, mortgage the house for the maximum they will lend, and walk out with the cash. If the house collapses, the bank is left holding the wreckage; you, meanwhile, have in your pocket the cash you extracted. You have converted your exposure to a house into cash without ever formally selling the house. Should it become worthless, you simply do not repay the loan โ the bank forecloses on a ruin. In effect, you have bet against your own property using the bank's money.
This is precisely what an rsETH holder did, in code, in minutes. He deposited his rsETH into Aave, borrowed as much real ETH as the protocol would permit against it, moved that ETH to a safe address, and mentally abandoned the loan. If rsETH recovered, he could always repay and reclaim the deposit; if it collapsed, the lender would eat the difference. The moment enough holders did this simultaneously, the effect was a run โ but a run conducted not against the insolvent protocol, Kelp, but against every lender that had, in good faith, listed its token as collateral.
The Slow Thermometer
A lending protocol's primary defence against an impaired asset is liquidation: when a borrower's collateral falls in value, the protocol is meant to sell it and recover the loan before the value falls below the debt. For liquidation to work, the protocol needs an accurate, timely price.
Most DeFi protocols, for sound reasons, do not use the last trade on some exchange as their price. A single malicious trade could move a thinly-traded market far enough to trigger fraudulent liquidations. So they use a time-weighted average price โ an average over the last several minutes or an hour โ which is difficult to manipulate in a single block. It is a thermometer deliberately designed to respond slowly, precisely so that manipulators cannot spike it.
In this case, that virtue became a vice. The true, redemption-implied value of rsETH was falling fast on the decentralized exchanges where it traded. But the oracle, averaging over the prior hour, reported a price that did not yet reflect the collapse. Liquidations either fired late โ after the collateral was already impaired โ or failed to fire at all, because by the slow thermometer's reading, nothing was yet wrong. The borrowers had time. The protocols did not.
The Contagion
By now the shock was no longer confined to rsETH holders. Depositors of stablecoins and other ordinary assets in the same lending pools โ people who had nothing to do with rsETH, had never held it, had never wanted to โ began to notice. They saw bad debt accumulating. They saw utilization rates spiking as borrowers drained the pools. They did the only rational thing: they withdrew.
Total Value Locked in Aave V3 and V4 fell by approximately $6.6 billion over a few hours. SparkLend, Fluid, and Upshift bled in parallel, for the same reason. None of the underlying protocols had been compromised. Their code worked. What failed was the composed system: each protocol had accepted the same impaired asset, each one's exposure was reinforced by every other one's, and the exits were all the same exits.
Two Events
It is important, in the aftermath, to keep the two events distinct.
The first was a bridge exploit at Kelp โ a narrow, technical failure of one piece of infrastructure. Its direct cost was roughly $292 million. Stani Kulechov, the founder of Aave, was correct when he said that Aave had not been exploited; its contracts behaved exactly as written.
The second was a liquidity cascade across the lending ecosystem, triggered by the first but far larger in magnitude and different in kind. No one did anything illegal in the cascade. No code was broken. Every participant acted in accordance with the rules of the protocols they were using. And yet the system as a whole behaved in a way no single participant intended or foresaw.
This is the part that matters โ especially for institutions that do not hold rsETH at all. The lesson is not that Kelp's bridge was insecure (bridges often are). The lesson is that the moment a tokenized asset gains wide acceptance as collateral across a composable financial stack, the failure of its issuer ceases to be a problem for its holders alone. It becomes a run risk for every protocol that trusted it, and for every depositor in those protocols, whether they ever held the asset or not.
Walter Bagehot understood this perfectly well in 1873. What he called the bill market and we now call money markets are webs of mutual credit, in which the failure of a single link draws tension through every strand. He observed that panic travels by way of the solvent as much as the insolvent, because the solvent, reasonably, wish to remain so. That is what happened in April. The code is new. The pattern is old.
By David Martin ยท Crypto XVA Research.
For the underlying framework, see the SSRN working paper โ Crypto XVA: A Conceptual Framework (link to be added at publication).
Subscribe for new research โ email capture form to be configured in Super.