DeFi’s Largest 2026 Hack Exposes Cross-Chain Infrastructure Weaknesses

On April 18, 2026, a hacker drained approximately $290 million in rsETH from KelpDAO, a liquid restaking protocol built on Ethereum. The attack, carried out through a flaw in the LayerZero cross-chain bridge configuration, triggered an unprecedented liquidity crisis across Aave and the broader decentralized lending ecosystem. Within 48 hours, more than $13 billion evaporated from DeFi, making this incident the largest crypto hack of 2026 so far. This case adds to an already lengthy list of massive hacks that occurred throughout April, marking a critical turning point for the industry’s security posture.

Background

Liquid restaking tokens (LRTs) emerged as a digital asset category over the past two years. They allow ether holders to stake their ETH on Ethereum’s consensus layer while restaking those tokens on layer-2 networks (L2s) to generate additional yields. KelpDAO, one of the leading players in this sector, issues rsETH (restaked ETH), a token that circulates across roughly 20 blockchains through an omnichain bridge built with LayerZero infrastructure.

The mechanism relies on a system of decentralized verifier networks (DVNs). When a user wishes to transfer rsETH from one blockchain to another, a set of DVNs must attest to the authenticity of the message before funds are released. Each protocol chooses how many verifiers must sign off. KelpDAO configured its bridge with a single verifying entity: LayerZero Labs itself. It was precisely on this minimalist configuration that the attackers capitalized.

This architecture fits into a broader movement of blockchain ecosystem fragmentation. Decentralized finance protocols constantly seek to expand their reach beyond a single chain, pushing them to rely on third-party interoperability solutions. LayerZero has established itself as one of the major players in this space, with thousands of deployments across the crypto ecosystem. However, the flexibility of its configuration system leaves significant room for potentially dangerous security choices.

The choice of a single-verifier configuration (1-of-1 DVN) is not uncommon in the industry. For cost and operational simplicity reasons, many projects opt for this type of minimalist configuration, estimating that the reputation of the single-node operator is sufficient to guarantee security. This approach, now questioned by the KelpDAO incident, illustrates a gap between the promises of modular security and the operational reality of cross-chain bridges.

What Happened

According to the incident report published by KelpDAO on April 20, 2026, the attack took place at 17:35 UTC on Saturday, April 18. The attacker sent a forged LayerZero packet claiming to originate from Unichain (the layer-2 network developed by Uniswap). The rsETH bridge released 116,500 rsETH — representing approximately 18% of total supply — to an address controlled by the hacker on Ethereum mainnet. Two follow-on withdrawal attempts were blocked 46 minutes later when KelpDAO suspended its contracts.

The total amount diverted is estimated between $290 and $293 million by major sector sources including Bloomberg and the Bank Policy Institute. Galaxy Research places the exact volume at 116,500 rsETH, equivalent to approximately $292 million at the time’s price. Preliminary attribution points to the Lazarus Group, a state-sponsored hacking unit from North Korea, also suspected of orchestrating the $285 million theft from Drift Protocol on April 1, 2026.

Rather than immediately reselling the tokens on decentralized exchanges (DEXs), which would have crashed the rsETH price, the attacker used the stolen funds as collateral to borrow heavily across multiple lending protocols. On Aave, Compound and Euler, approximately $236 million was borrowed in WETH and wstETH against the stolen rsETH. Borrowed assets were then swapped for ETH, consolidated in the attacker’s wallet: 75,700 ETH on Ethereum and 30,765 ETH on Arbitrum.

The precise attack mechanism was classified by LayerZero as « RPC poisoning. » The attackers first corrupted two downstream RPC nodes that the DVN relied on to verify the source chain’s state. Then they launched a distributed denial-of-service (DDoS) attack on the uncompromised RPCs, forcing the DVN to switch to the poisoned nodes that were transmitting false data. This method kept the attack invisible to LayerZero’s monitoring infrastructure until the drain was complete.

The scale of the incident was immediately felt on the markets. The rsETH token experienced a precipitous drop in value, dragging with it all positions secured by this token on major lending protocols. The positions of Aave users using rsETH as collateral were immediately threatened with liquidation, in a context where ether prices were also under pressure.

Analysis

The KelpDAO incident raises fundamental questions about the security of cross-chain architectures in decentralized finance. « The KelpDAO exploit is NOT a LayerZero protocol bug. It’s a configuration issue and a case study every project with a cross-chain token needs to look at today, » summarized one anonymous developer on social media X. Another analyst, going by the pseudonym Fishy Catfish, illustrated the danger with a telling analogy: « It’s like a roller coaster manufacturer letting amusement parks individually decide on minimum safety specs. »

The flexibility of modular security systems, praised as an advancement, becomes a flaw when it allows projects to operate with single-verifier configurations. With a 1-of-1 DVN setup, a single node operated by a single entity is sufficient to authorize massive fund transfers. The technical community is now calling for a native security floor below which no project should be allowed to operate.

Another critical point: Aave’s insurance fund proved largely insufficient against the scale of potential losses. According to data from the Bank Policy Institute and Finance Feeds, Aave’s safety module was valued between $80 and $100 million, while exposure to potential losses exceeded $200 million. This inadequacy triggered a panic movement among lenders, who began withdrawing their ETH at a record pace.

Aave’s choice to integrate rsETH as collateral for ETH-mode loans (E-Mode) with a loan-to-value (LTV) ratio of 93% — compared to 72% for SparkLend — amplified the protocol’s exposure. This decision, made in January 2026, allowed users to multiply their positions using rsETH as collateral for ether borrowings with significant leverage. When rsETH collapsed, positions were dragged toward partial or complete liquidations, worsening losses for lenders remaining in the protocol.

It is also worth noting that this incident is part of an especially devastating April for DeFi. On April 1, Drift Protocol — a perpetuals protocol based on Solana — had already lost $285 million in an attack linked to actors affiliated with North Korea. These two incidents collectively represent nearly $575 million stolen in eighteen days by the same state entity, via two structurally different attack vectors, neither of which involved a smart-contract bug.

Market Reactions

DefiLlama’s figures are stark. Aave’s total value locked (TVL) dropped from $26.4 billion on April 18 to under $20 billion within hours, by Sunday morning, April 19. Approximately $5.4 billion in ETH and WETH left Aave in a single day. The AAVE token simultaneously lost more than 18% of its value, further deepening the confidence crisis.

On stablecoin markets, the situation reached a breaking point. Aave’s USDT and USDC pools hit 100% utilization, meaning no liquidity is currently available for withdrawals. Roughly $5.1 billion in stablecoin deposits are now subject to withdrawal constraints across the protocol. Depositors sold other assets to acquire stablecoins they then withdrew massively, exhausting reserves.

Contagion spread well beyond protocols directly exposed to rsETH. Morpho, Sky, and JupLend all recorded significant net outflows despite zero or minimal exposure to the incident. The « decentralized bank run » phenomenon affected the entire DeFi ecosystem, with a cumulative TVL loss of approximately $15 billion since the exploit, according to BeInCrypto.

Reactions on social networks were intense. One widely shared post captured the mood shift in particularly blunt terms: « DeFi is dead… ‘just use aave’ is dead, » while another asked outright: « If you’re reading this — why are you still in crypto? » These reactions, although extreme, reflect a growing frustration with an industry unable to protect its users’ funds despite years of development.

Outlook

Several resolution scenarios are currently being modeled by Aave service providers. In the first scenario, uniform loss socialization applies a 15.12% haircut across all rsETH holders, generating approximately $123.7 million in irrecoverable debt on Aave V3, concentrated at $91.8 million on Ethereum Core. In the second scenario, where losses are isolated to layer-2 (L2) rsETH holders, irrecoverable debt could reach $230.1 million.

The Arbitrum Security Council took emergency action Monday evening, freezing 30,766 ETH held on Arbitrum and transferring it to an intermediary frozen wallet that can only take further action through governance. This decision aimed to prevent the attacker from laundering the stolen funds. In response, the attacker’s wallet began transferring funds to new addresses, attempting to obscure the trail. Aave reopened WETH markets on Ethereum Core on Tuesday morning, though they remain at 100% utilization.

For investors, this incident is a reminder that high yields from decentralized lending come with underestimated systemic risks. The combination of leveraged tokens, centralized lenders, and cross-chain infrastructure creates dependency chains whose rupture can be sudden and devastating. Experts now recommend diversifying the lending protocols used and monitoring the security configurations of cross-chain bridges used by protocols where funds are deposited.

In the longer term, the KelpDAO incident could accelerate the implementation of minimal security standards for DVN configurations across the industry. LayerZero has already announced it would no longer sign or attest messages from applications running a 1-of-1 DVN configuration. This decision marks a significant shift in the approach to security for cross-chain infrastructure, potentially the beginning of an era of stricter standardization.

Sources

• DeFi is dead: crypto community scrambles after massive $292 million hack — CoinDesk
• KelpDAO/LayerZero Exploit Drains $290m, Freezes DeFi Markets — Galaxy Research
• Crypto Hacks and DeFi Runs — Bank Policy Institute
• Major DeFi Hack Becomes the Largest of 2026 Yet — TheStreet Crypto
• DeFi TVL Drops After KelpDAO Exploit — BeInCrypto