Kelp DAO rsETH Exploit Drains $292 Million and Triggers Largest DeFi Crisis of 2026

On April 18, an attacker drained 116,500 rsETH from Kelp DAO’s cross-chain bridge. The tokens were worth roughly $292 million at the time. That figure makes this the largest DeFi exploit of 2026, overtaking the Drift Protocol hack from earlier this month. However, the damage extends far beyond Kelp itself. Emergency freezes hit at least nine protocols, and total DeFi value locked dropped more than $13 billion in the 48 hours that followed.

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.

We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.

We will keep you…

— Kelp (@KelpDAO) April 18, 2026

How the Attack Worked

The exploit targeted Kelp’s LayerZero-powered bridge infrastructure. Specifically, the attacker went after the Decentralized Verifier Network (DVN) that confirms cross-chain transactions. Kelp’s bridge used a single-verifier configuration, meaning only one entity needed to approve any transaction.

The attacker first compromised two of the RPC nodes used by LayerZero’s DVN. Then they launched a distributed denial-of-service (DDoS) attack against the remaining clean servers. This forced LayerZero’s verification system to fail over to the compromised nodes.

With control of the verification layer, the attacker forged a cross-chain message. That message tricked Kelp’s bridge into releasing 116,500 rsETH to an attacker-controlled address. The drained tokens represented roughly 18% of rsETH’s 630,000 token circulating supply. Notably, the attacker then deposited the stolen rsETH into Aave V3 as collateral and borrowed approximately $196 million in wrapped ETH against it. Additional borrows across Compound and Euler brought the total to around $236 million.

Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after the initial drain. Two follow-up attempts to steal another $100 million in rsETH were blocked at 18:26 and 18:28 UTC.

LayerZero and Kelp DAO Trade Blame

The aftermath quickly turned into a public dispute over responsibility. Each side pointed the finger at the other’s decisions.

LayerZero published a statement blaming Kelp for choosing a single-verifier (1-of-1 DVN) configuration. The company said it had previously warned Kelp to adopt a multi-verifier setup. LayerZero emphasized that its core protocol functioned correctly and that Kelp’s insecure configuration created the single point of failure. Going forward, LayerZero announced it will no longer sign messages for any project running a single-verifier config.

Kelp DAO fired back with a different version of events. The team claimed that LayerZero’s own quickstart guide and default GitHub configuration point to a 1-of-1 DVN setup. According to Kelp, approximately 40% of protocols on LayerZero currently use the same configuration. In other words, Kelp argues this was the standard path, not an outlier decision made against explicit advice.

The dispute highlights a structural tension in cross-chain infrastructure. Bridge providers offer flexible configurations, but when the defaults favor simplicity over security, the question becomes who bears responsibility when things go wrong.

SCOOP: Kelp DAO is preparing a memo blaming LayerZero for Saturday’s $292 million rsETH exploit, saying it relied on LayerZero’s documentation, default configurations and team guidance when setting up the bridge.

CoinDesk has reviewed the memo ahead of publication. pic.twitter.com/nBX2CzuViR

— CoinDesk (@CoinDesk) April 20, 2026

Aave Faces $196 Million in Bad Debt

The exploit hit Aave harder than any other lending protocol. Because the attacker used stolen rsETH as collateral on Aave V3, the protocol now holds approximately $196 million in bad debt concentrated in the rsETH-to-WETH pair. That pair accounts for 39.49% of all Aave loans, making this a direct hit to the protocol’s core book.

Aave’s Guardian initiated freezes on rsETH and wrsETH markets across all deployments starting at 18:52 UTC. Founder Stani Kulechov initially stated the Umbrella safety module would cover any deficit. However, within hours, the language softened to “explore paths to offset the deficit.” That shift raised concerns that the Umbrella reserve may fall short and that stkAAVE stakers could absorb residual losses.

In response, Aave’s total value locked plunged by roughly $6.6 billion. The AAVE token dropped 16%. Additionally, a $300 million borrowing spike across the protocol signaled a broader liquidity crunch as depositors rushed to withdraw.

LATEST: Aave’s TVL dropped nearly $8 billion after attackers used $293 million in stolen Kelp DAO tokens as collateral, creating $195 million in bad debt, according to Lookonchain. pic.twitter.com/Hyj4jl46dt

— CoinMarketCap (@CoinMarketCap) April 20, 2026

DeFi-Wide Contagion Spreads Across Nine Protocols

The Kelp DAO rsETH exploit did not stay contained. Because the bridge held reserves backing rsETH across more than 20 networks, the loss raised immediate doubts about rsETH backing on every Layer 2 where it existed.f

Emergency freezes spread quickly. SparkLend, Fluid, Upshift, Compound, and Euler all took action to freeze rsETH markets within hours. Ethena paused its LayerZero OFT bridges as a precaution, even though it had no direct exposure. Lido followed with similar defensive measures. In total, at least nine protocols enacted emergency responses.

The broader impact was severe. Total DeFi value locked dropped more than $13 billion in the two days following the hack. The sell pressure on rsETH cascaded into related assets, and the community reaction was swift. “DeFi is dead” began trending on social media as users questioned the structural risks of cross-chain composability.

Lazarus Group Suspected Behind the Attack

LayerZero attributed the exploit to North Korea’s Lazarus Group, specifically the TraderTraitor unit. The company cited preliminary indicators consistent with a highly sophisticated state actor. On-chain trackers noted the attacker funded the exploit address through Tornado Cash and converted approximately $250 million of stolen funds to ETH.

Importantly, this is the second major DeFi attack linked to Lazarus in April 2026. The group allegedly exploited Drift Protocol on April 1 using social engineering against governance signers. Combined, the two attacks total more than $575 million drained from DeFi in just 18 days. The two exploits used completely different attack vectors, suggesting the unit operates with significant technical range.

LayerZero said it has contacted law enforcement agencies globally and is working with Seal911 and other industry partners to trace the stolen funds. Recovery prospects remain uncertain given the attacker’s use of Tornado Cash for laundering.

What This Means for Cross-Chain DeFi

The Kelp DAO rsETH exploit exposed several structural risks that extend well beyond one protocol. First, default bridge configurations that favor convenience over security now face intense scrutiny. If 40% of LayerZero protocols truly use the same 1-of-1 verifier setup, the attack surface across DeFi remains wide open.

Second, the incident raises hard questions about how lending protocols evaluate collateral risk. Aave accepted bridge-dependent liquid restaking tokens without restrictions that could have limited exposure. As a result, a bridge exploit turned into a lending protocol crisis.

Finally, the speed of DeFi contagion continues to accelerate. A single bridge vulnerability cascaded into $13 billion in TVL losses across nine protocols in 48 hours. The interconnected nature of cross-chain composability means that one weak link can threaten the entire system.

Fund recovery efforts are ongoing, but the broader conversation has already shifted. Protocols across DeFi are now re-evaluating bridge dependencies, verifier configurations, and collateral risk parameters in real time.

Disclaimer: News content provided by Genfinity is intended solely for informational purposes. While we strive to deliver accurate and up-to-date information, we do not offer financial or legal advice of any kind. Readers are encouraged to conduct their own research and consult with qualified professionals before making any financial or legal decisions. Genfinity disclaims any responsibility for actions taken based on the information presented in our articles. Our commitment is to share knowledge, foster discussion, and contribute to a better understanding of the topics covered in our articles. We advise our readers to exercise caution and diligence when seeking information or making decisions based on the content we provide.

The post Kelp DAO rsETH Exploit Drains $292 Million and Triggers Largest DeFi Crisis of 2026 appeared first on Genfinity – Web3 Education & News.