April 18, 2026 will be remembered as one of the darkest days in DeFi history. An unknown attacker exploited a vulnerability in Kelp DAO's LayerZero-based cross-chain bridge, stealing approximately 116,500 rsETH — worth nearly $292 million at the time of the attack. It is officially the largest DeFi exploit of 2026, surpassing the Drift Protocol incident by a narrow margin.
The alert spread rapidly after on-chain investigator ZachXBT flagged the breach on Telegram, identifying six wallets linked to the attacker — all pre-funded through Tornado Cash hours before the drain. A deliberate, precisely planned operation.
How the Attack Unfolded
Everything traces back to a single technical detail with catastrophic consequences. The attacker manipulated the cross-chain messaging layer of LayerZero — the system that validates instructions between blockchains — tricking Kelp DAO's bridge into believing it was receiving a legitimate instruction from another network.
At 17:35 UTC on April 18, the attacker's wallet called the lzReceive function on LayerZero's EndpointV2 contract. That single call convinced Kelp's system to release 116,500 rsETH directly to an attacker-controlled address. The stolen amount represents roughly 18% of rsETH's circulating supply (630,000 total tokens, according to CoinGecko).
Kelp's security team responded 46 minutes later, executing an emergency pauseAll via the protocol's multisig. Two subsequent attempts by the attacker — at 18:26 and 18:28 UTC — were blocked by the paused contract, preventing an additional drain of approximately $100 million.
Without that rapid response, total losses could have approached $391 million.
The Contagion: Aave and DeFi Composability
The theft was only the first half of the problem. The second played out on Aave V3, where the attacker deposited the stolen rsETH — now unbacked — as collateral, borrowing large quantities of WETH. The result: an estimated $177–236 million in bad debt left on the lending sector's largest protocol.
This illustrates in brutal terms the risk embedded in DeFi composability: tokens issued by one protocol are instantly accepted as collateral on others. When a token loses its real backing, contagion is immediate — no governance vote, no committee, no waiting period.
Protocols affected by the chain reaction:
- Aave V3 and V4 — rsETH markets frozen; Stani Kulechov (@StaniKulechov) confirmed Aave contracts were not compromised and the issue is limited exclusively to rsETH
- SparkLend — rsETH markets suspended, zero direct exposure
- Fluid — same measures as Spark
- Lido Finance — earnETH deposits suspended due to rsETH exposure; stETH and wstETH unaffected
- Ethena — precautionary pause on LayerZero bridges from Ethereum mainnet, despite no rsETH exposure and collateralization above 101%
- Upshift — deposits and withdrawals suspended on High Growth ETH and Kelp Gain vaults
Market Impact: AAVE, ETH, and rsETH Sell-Off
Market reaction was immediate and severe:
- AAVE dropped approximately 10% within hours
- ETH fell around 3%
- stETH and wstETH recorded losses close to 4%
- rsETH lost its peg, falling near $2,500, with significant uncertainty over protocol stability
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
— Kelp (@KelpDAO) April 18, 2026
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
What Is Kelp DAO and Why Does It Matter
Kelp DAO is an Ethereum liquid restaking protocol. Users deposit ETH or liquid staking tokens (such as stETH or cbETH) and receive rsETH in return — a token that accumulates rewards from multiple staking layers via EigenLayer. With a TVL of approximately $1.07 billion, Kelp is the second-largest player in the EigenLayer ecosystem.
rsETH is distributed across more than 20 blockchains: Arbitrum, Base, Linea, Blast, Mantle, Scroll and others, via LayerZero's OFT standard. The drained bridge was the central reserve backing wrapped tokens across all these L2s. With that reserve wiped out, rsETH holders on secondary chains now face deep uncertainty: their token may no longer have any underlying collateral.
For a deeper look at how LayerZero's cross-chain messaging works, read: Cardano Integrates LayerZero and Targets DeFi
A Brutal April for DeFi: The 2026 Hack Timeline
This exploit did not arrive in isolation. On April 1, 2026, the Drift protocol on Solana suffered a $285 million attack, subsequently linked to North Korean actors. In the weeks that followed, at least a dozen smaller protocols were hit: CoW Swap, Zerion, Rhea Finance, Silo Finance.
The 2026 attack timeline alone is beginning to read like a casualty list:
- April 1 — Drift Protocol (Solana): ~$285M
- Mid-April — CoW Swap, Zerion, Rhea Finance, Silo Finance
- April 18 — Kelp DAO: $292M ← 2026 record
Total DeFi exploits in just three weeks now exceed one billion dollars.
Follow all crypto hack coverage on SpazioCrypto's dedicated hack section.
What Happens Next: Open Questions for DeFi
Kelp DAO has stated it is working with LayerZero, Unichain, its auditors and leading security experts to conduct a root cause analysis (RCA). Co-founder Amitej Gajjala has not yet released statements beyond the official communication.
Key open questions remain:
- Is any fund recovery possible?
- Can Aave absorb the bad debt without impacting depositors?
- Will rsETH on L2s recover its peg, or will holders face permanent losses?
On the structural level, this incident reopens the debate on the safety of liquid restaking tokens as lending collateral. The fact that rsETH was whitelisted on Aave, Compound and Euler presupposed that the token remained fully backed. That assumption has been shattered — and every lending protocol must now reassess its risk parameters for restaked assets.
To understand how to protect yourself in this ecosystem, our Web3 Guide is the best starting point.
DeFi's power comes precisely from its composability. But composability, when a single piece fails, turns every connected protocol into a domino. The Kelp DAO case has demonstrated that in the most expensive way possible.
