Overview
- A $292 million exploit of KelpDAO’s LayerZero bridge used RPC‑spoofing and a DDoS attack on verifier nodes and triggered an $8.45 billion deposit run on Aave within 48 hours in April 2026.
- Aave avoided insolvency after emergency governance actions that totaled roughly $300 million, including a 25,000 ETH pledge from the Aave DAO and a personal 5,000 ETH contribution from founder Stani Kulechov.
- Blockchain risk firm LlamaRisk found attackers minted worthless collateral, deposited it into Aave, and drained real wrapped Ether, leaving Aave V3 with about $123.7 million in bad debt.
- Aave Labs says its planned V4 upgrade will replace pooled token models with a modular hub‑and‑spoke design to isolate risk, levy localized premiums, and enable freezing of specific collateral lines but the timeline and effectiveness remain unproven.
- The crisis highlighted recurrent bridge and off‑chain vulnerabilities, exposed gaps in on‑chain insurance, and poses a test for whether institutional investors will return before V4 is implemented; regulators and users should watch V4 progress and any changes to insurance or emergency procedures.