Kelp DAO Hack Triggers Systemic Crisis Across DeFi With $292 Million Drained

An attacker exploited a critical vulnerability in Kelp DAO’s cross-chain bridge mechanism to steal approximately $292 million in rsETH on Saturday, April 18, 2026. This operation, now the largest DeFi exploit of 2026, exposed structural flaws in blockchain bridge infrastructure and triggered a massive outflow from decentralized lending protocols. Within days, over $15 billion was withdrawn from Aave, the world’s largest DeFi lending platform, while an unprecedented coalition of seven protocols organized itself to contain the fallout.

Background

Kelp DAO is a liquid restaking protocol that allows ETH holders to deposit their tokens into the EigenLayer system to generate additional yield beyond standard Ethereum staking rewards. In return for their deposits, users receive rsETH tokens, tradable digital receipts that maintain ETH exposure while accumulating passive income through delegated validation tasks to node operators.

To ensure portability of rsETH across different blockchain networks, Kelp DAO developed a cross-chain bridge system based on LayerZero infrastructure, an inter-blockchain messaging layer widely adopted throughout the DeFi ecosystem. This mechanism works by locking tokens on an origin chain while issuing corresponding copies on the destination chain, allowing users to benefit from rsETH liquidity across multiple networks simultaneously.

This architecture, while convenient for users, creates a single point of failure: if the transfer validation mechanism is compromised, unbacked tokens can be generated and introduced into the ecosystem without any real asset supporting their value. This is precisely what happened on April 18, with consequences spreading far beyond Kelp DAO’s immediate scope.

The Facts

According to available timestamped data, the attack was executed at 17:35 UTC on Saturday, April 18, 2026. The attacker successfully manipulated LayerZero’s cross-chain messaging system by transmitting a falsified transfer instruction, giving the impression that a legitimate token transfer had been made from another blockchain. This false instruction triggered the release of 116,500 rsETH, worth approximately $292 million at market prices at the time of the incident.

This amount represents nearly 18% of rsETH’s total circulating supply, which stands at 630,000 tokens according to data tracked by CoinGecko. Kelp DAO’s bridge covering rsETH spanned more than twenty different blockchain networks, primarily layer 2 solutions built on Ethereum. As a result of the exploit, the collateral underlying rsETH on these secondary networks is now considered doubtful, with reserves having been fraudulently drained on the main chain.

The precise mechanics of the attack relied on a flaw in Kelp DAO’s cross-chain validation setup, where a single signer (1-of-1 configuration) was sufficient to approve transfers. The attacker exploited this weakness to obtain token release without any real deposit. According to technical analysis published by DeFiPrime, this configuration allowed an attacker to forge a transfer proof validated by the only authorized signer, without any actual assets being moved.

The stolen funds did not remain idle. The attacker deposited 89,567 rsETH on the Aave lending protocol as collateral, then borrowed approximately $190 million in ETH and related tokens across Aave V3 instances on Ethereum and Arbitrum. This maneuver created a bad debt problem on Aave: the deposited rsETH as collateral was no longer backed by any real asset, leaving the protocol exposed to a net loss if these positions were liquidated.

The sophistication of the operation and technical indicators identified by cybersecurity firms Cyvers and PeckShield point to the Lazarus Group, a criminal entity affiliated with the North Korean government. This group had already executed the largest hack in crypto history in February 2025, draining $1.4 billion from the Bybit exchange. Earlier in April 2026, the same group allegedly exploited the Drift protocol on Solana for $295 million.

Analysis

The incident report published jointly by Aave Labs and service provider LlamaRisk on the Aave governance forum provides detailed insight into the protocol’s exposure to the hack. According to this report, Aave’s systems functioned exactly as designed during the incident: the protocol correctly processed rsETH deposits as valid collateral and granted loans according to the risk parameters in force. The flaw did not lie in Aave’s code but in the quality of the collateral that had been provided upstream through the Kelp DAO hack.

The report documents two potential loss scenarios for Aave. In the optimistic scenario, if the collateral deficit is distributed across all rsETH holders across all markets, the loss borne by Aave would be around $123 million. In the pessimistic scenario, if the deficit remains confined to positions hosted on layer 2 solutions, the loss could reach $230 million, depending on Kelp DAO’s choices regarding collateral shortfall allocation and the resolution mechanisms adopted by the protocol’s governance.

This case illustrates the systemic fragility inherent in the interconnected architecture of decentralized finance in a particularly visible way. Users who had never interacted directly with Kelp DAO found themselves affected by the crisis because they held rsETH as collateral on Aave or other lending platforms. Contagion risk crosses ecosystem layers without end users having full awareness of their exposure to third-party protocols.

Beyond Aave, several other protocols were forced to react urgently. Compound launched four successive governance proposals to adjust risk parameters on affected markets and enable the progressive resumption of suspended activities. Fluid suspended all markets with rsETH exposure, while declaring it had no material exposure to infected L2 positions, with no new borrowing operations against rsETH initiated after the exploit was revealed.

Market Reactions

In the hours following the public revelation of the exploit, DeFi depositors adopted an exit flight behavior. According to data compiled by AMBCrypto, Aave recorded withdrawals exceeding $15 billion, causing a 37% drop in its total deposits, which fell from $46 billion to $28.6 billion in just a few days. This capital hemorrhage constitutes the largest outflow movement in the protocol’s history, far surpassing tension episodes observed during previous sectoral crises.

The total value locked on Aave, the key indicator of a DeFi protocol’s health measuring all assets deposited, plummeted by more than a third to $17.5 billion. Depositors withdrew their funds en masse for fear of being exposed to direct losses if collateral contaminated by stolen rsETH ultimately generated deficits on non-involved lenders’ positions.

On secondary markets, the rsETH price collapsed upon the incident’s revelation, with the ETH parity under severe pressure as investors attempted to exit their positions. Automated lending protocols triggered rsETH position freezes to prevent a vicious cascade liquidation from initiating, which would have worsened losses for all remaining holders.

Perspectives

Faced with the scale of the crisis, seven major DeFi protocols unprecedentedly decided to coordinate their response to contain the damage. This coalition, known as DeFi United, managed to gather approximately 69,534 ETH, worth about $161 million at current market prices. Contributors include Aave, Lido, EtherFi, Mantle and several other key ecosystem actors. Aave proposed to contribute 25,000 ETH to this collective effort, demonstrating the ecosystem’s commitment to resolving the crisis before it spreads further to other protocols.

This inter-protocol coordination represents a first in the history of decentralized finance. Usually competing for the same capital and users, DeFi protocols this time set their rivalries aside to respond to a systemic threat. The recovery fund aims to restore rsETH backing and enable holders to recover part of their stake, but allocation details remain under negotiation at the governance level.

Andrew Moss, research analyst at U.S. investment bank Jefferies, said this incident would force Wall Street institutional players to pause their expansion plans in the tokenization sector. Since 2024, the real-world asset tokenization market has grown dramatically, rising from $5 billion to $30 billion, multiplying its size sixfold in two years. However, recurring security flaws in underlying DeFi protocols could slow this momentum by reviving reservations among traditional players who hesitate to entrust significant capital to infrastructure still considered experimental.

In the medium term, the question of cross-chain bridge security becomes urgent. Statistics compiled by DefiLlama reveal that over $620 million was stolen in crypto security incidents in just twenty days in April 2026, making that month the worst for sector security since the Bybit hack in February 2025. Bridges, essential links in the DeFi ecosystem but often under-audited, remain the most evident weak link in decentralized finance. Without a overhaul of audit and security practices around cross-chain infrastructure, similar incidents could recur.

The implications for the entire DeFi ecosystem extend far beyond the Kelp DAO case. The restaking concept, which allows reinvestment of already-staked ETH to obtain additional yields via EigenLayer, has experienced exponential growth in recent months. This rapid expansion has nonetheless created a considerable attack surface, as restaking protocols entirely depend on the security of underlying validation mechanisms, particularly the cross-chain bridges enabling inter-network liquidity.

The question of DeFi protocol governance in crisis situations is also raised by this incident. Response delays from different protocols, emergency proposal voting processes, and coordination between historical competitors constitute organizational challenges that had never been truly tested at this scale. The speed with which DeFi United formed, with 69,534 ETH in a few days, demonstrates the ecosystem’s ability to mobilize nonetheless, but also reveals the absence of formalized systemic crisis response mechanisms.

Sources

• 2026’s biggest crypto exploit: $292 million gets drained from Kelp DAO — CoinDesk
• Aave could face up to $230m in losses after Kelp DAO bridge exploit — CoinDesk
• Kelp DAO Bridge Exploit Drains $292 Million in rsETH — Yahoo Finance
• Crypto hack sparks $9 billion outflows from biggest DeFi lender — Bloomberg
• Aave outflows hit $15B as DeFi risks test Wall Street confidence — AMBCrypto
• DeFi United: Seven Protocols Coordinating DeFi’s Largest Bailout — Phemex Academy
• The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge — DeFiPrime

On the regulatory front, this exploit could accelerate attention from authorities on restaking protocols and cross-chain bridges. The Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) in the United States, as well as the European Securities and Markets Authority (ESMA) in Europe, have been closely monitoring DeFi evolution for several years. An incident of this magnitude could trigger disproportionate regulatory reactions, affecting the entire sector if legislators choose to respond with restrictions rather than adapted frameworks.