Aave, one of crypto’s largest lending platforms, was not directly hacked but was caught in the fallout after stolen tokens from another project were used to borrow real assets. (Photo: Shutterstock)

Aave, one of crypto’s largest lending platforms, was not directly hacked but was caught in the fallout after stolen tokens from another project were used to borrow real assets. (Photo: Shutterstock)

Aave, a crypto lending platform where users borrow and lend digital assets, has been left exposed after a $292m theft linked to another crypto project, offering a warning that risks in decentralised finance can be harder for ordinary users to see until it is too late.

Decentralised finance, better known as DeFi, was built on a simple idea: people should be able to borrow, lend, trade and earn interest without going through a bank.

Instead of opening an account with a traditional lender, users connect a crypto wallet. Instead of a bank approving a loan, software automatically applies the rules. If a user wants to borrow, they must first deposit crypto as security. If the value of that security falls too far, the system can automatically sell it to protect lenders.

This was why DeFi was seen as a potential game changer. It promised faster access to finance, fewer middlemen, 24-hour markets and higher returns for users willing to lend out their crypto.

The platform

Aave became one of DeFi’s most important lending platforms. In simple terms, it works like a crypto money market. Some users deposit digital assets and earn interest. Others borrow against their crypto holdings.

The model depends on one crucial assumption: the crypto posted as security must be real, valuable and easy to sell.

That assumption was tested in April 2026.

What happened

The problem began outside Aave. On 18 April 2026, attackers stole about 152,600 rsETH, worth around $292m, from Kelp DAO’s bridge system. rsETH is a token linked to ether, one of the main cryptocurrencies, and is used by investors who want to earn extra returns by locking up their crypto. Kelp DAO’s bridge allows rsETH to move between different blockchains.

The attackers found a way to make the bridge release tokens that were not properly backed by the ether they were supposed to represent. Those tokens could then be used elsewhere in DeFi, including as security for loans.

Those tokens then became dangerous because they could be used elsewhere in DeFi.

Not hacked but vulnerable

Aave was not directly hacked. Its own governance forum stated that the incident was limited to the rsETH asset and did not come from a vulnerability in the Aave protocol itself. Aave froze rsETH and wrsETH markets from 18:52 UTC on 18 April to stop new deposits and new borrowing against the affected tokens.

But the damage had already been done. The attackers used the affected tokens as security on Aave and borrowed real assets against them. The Wall Street Journal reported that hackers borrowed about $190m from Aave. In other words, Aave accepted something that appeared valuable as security. Once that security was found to be impaired, the loans made against it became a problem.

Why users should care

The episode shows a risk that many ordinary crypto users may not see. A person using one DeFi platform may think they are only exposed to that platform. In reality, the value of their deposits can depend on other projects, bridges, tokens and technical systems elsewhere.

That is what makes DeFi powerful, but also fragile. One failure can travel quickly through connected platforms.

After the incident became public, users pulled more than $10bn from Aave, a record outflow that far exceeded the platform’s direct liquidity risk from the episode. The rush to withdraw reflected how quickly confidence can evaporate in digital markets, where funds can move instantly and fear can become self-reinforcing.

DeFi was meant to make finance more open and transparent. But for many users, the system has become difficult to understand, with risks hidden behind technical terms, automated systems and links between platforms.

Aave’s $290m lesson is therefore simple: in crypto lending, high yields and clever technology do not remove risk. They can sometimes make it harder to see.

Related articles

AI-powered retail investing risks fuelling herd behaviour and liquidity crises, potentially accelerating the next financial meltdown, warns European Stability Mechanism economists Thiago Fauvrelle and Martin Rohár, in a blog post on 28 July 2025. Photo: Peter Lindmark / ESM
MARKETS

How GenAI could trigger the next financial crisis: ESM economists

Kangkan Halder 29.07.2025
In the run-up to the new European directive, it’s best to start gathering documentation on your crypto activities. Photo: Shutterstock
FINTECH

DAC8: what it changes for crypto holders

Thierry Labro 21.11.2025
“Even small differences in spread or slippage can have a significant impact when trading volume is high,” Gracy Chen, chief executive of Bitget, explained as she outlined why execution quality has become a defining issue for institutional crypto trading. Photo: Bitget
FINTECH

Why execution quality matters in crypto: Bitget’s Gracy Chen

Kangkan Halder 17.03.2026