On April 18, 2026, at 03:41 UTC, attackers drained 116,500 rsETH worth $292 million from Kelp DAO by exploiting a vulnerability in its LayerZero-powered cross-chain bridge. No warning, no announcement. Just an on-chain movement that looked routine until it wasn't. Within 48 hours, Aave lost $8.45 billion in total deposits, and the broader DeFi ecosystem shed over $13 billion. This is the largest DeFi exploit of 2026.
Security Incident Report
Protocol
Kelp DAO (rsETH Bridge)
Amount Stolen
$292 million (116,500 rsETH)
Chains
Ethereum mainnet + 20+ L2s (Base, Arbitrum, Linea, Blast, Mantle, Scroll)
Date
April 18, 2026 · 03:41 UTC
Attack Vector
Vulnerability in the cross-chain bridge built on LayerZero, which managed the rsETH reserve across 20+ blockchains. The attacker exploited the flaw to transfer 116,500 rsETH from the bridge reserve. They then deposited 89,567 rsETH on Aave as collateral and borrowed $190.86 million in wrapped Ether while Aave's oracle still priced rsETH at the pre-exploit rate.
Protocol Response
Kelp DAO suspended rsETH contracts on mainnet and L2s after detecting suspicious activity. Aave froze rsETH markets to block new deposits and borrowing against that collateral. Kelp DAO official statement posted on X at 06:00 UTC on April 18, 2026.
Sources: PeckShield · CertiK · CoinDesk · Cybernews · Bank Policy Institute · April 18 — 20, 2026
Sources: PeckShield · CertiK · CoinDesk · Cybernews · Bank Policy Institute · April 18, 20, 2026
How the Aave Oracle Manipulation Multiplied the Damage
The direct loss from the LayerZero bridge exploit was $292 million. What Aave's oracle flaw added turned a bad hack into a systemic event. The attacker deposited 89,567 rsETH on Aave as collateral right after the exploit. Aave's price oracle doesn't verify the provenance of deposited assets. It only checks the market value at the moment of deposit.
At 03:41 UTC, rsETH still carried its pre-exploit price. The attacker borrowed $190.86 million in wrapped Ether against collateral the market was about to reprice to near zero. By the time Aave froze its rsETH markets, $190 million in real Ether had already left the protocol. That's the gap between a bridge vulnerability and a protocol-level cascade.
According to CoinDesk, Aave lost $8.45 billion in total deposits over the 48 hours that followed, falling from $26.35 billion to $17.9 billion. More than $13 billion exited the broader DeFi ecosystem in reaction. Aave founder Stani Kulechov stated on X that Aave's own contracts had not been breached: the problem was in the asset accepted as collateral. An important technical distinction. It didn't stop the outflows.
Kelp DAO isn't the first liquid staking protocol to fall through a comparable vector. As reported by Elliptic, Drift Protocol suffered a $286 million attack in March 2026 on Solana, with suspected involvement of North Korea-linked groups. Two separate events, two different vectors, one week apart. By April 20, 2026, per CoinDesk figures, total DeFi losses in 2026 had already exceeded $775 million.
What Changes Now for Institutional DeFi
Functionally, according to CoinDesk, Apollo Global Management and BlackRock have not altered their onchain finance expansion plans following the exploit. The institutional read is pragmatic: the issue isn't DeFi itself, but the current state of its defenses.
“Every layer of the DeFi stack must make security the absolute priority,” an analyst told CoinDesk on May 2, 2026. “Even more so in the AI era, which makes certain attack vectors far faster to construct.”
PeckShield traced the stolen funds to addresses linked to Tornado Cash within hours of the attack. According to PeckShield's on-chain analysis, $180 million was already in the mixing process by 08:00 UTC on April 18. Recovery prospects are close to zero.
Three developments to watch in the coming weeks: the industry debate around mandatory multi-source validation for price oracles in major protocols; Kelp DAO's proposal for a compensation fund for affected users; and the ECB's formal position, which on May 2 cited this exploit as grounds for prudential supervision of DeFi assets under the MiCA 2026 review. ECB President Christine Lagarde invoked systemic stability. This time, with real numbers behind the argument.
