A hacker struck Kelp DAO’s cross-chain bridge on April 18, 2026, at 17:35 UTC. Nearly 116,500 rsETH—worth about $290 million—vanished in one transaction. This restaking token, meant to let users earn yields across chains, became the biggest DeFi exploit of the year. Surpassing even Drift Protocol’s $285 million loss earlier that month.
The attack exploited LayerZero’s Omnichain Fungible Token adapter. Attackers poisoned RPC nodes. They forged a message pretending to originate from Unichain, Uniswap’s Layer 2. Kelp DAO’s single-verifier setup—LayerZero Labs as the sole Decentralized Verifier Network—proved fatal. A DDoS on honest nodes forced failover to the tainted ones. No keys stolen. No protocol bug. Just clever infrastructure sabotage, Galaxy Research reports.
rsETH holders on 20 Ethereum Layer 2s watched their tokens turn unbacked. About 18% of circulating supply drained. Kelp paused contracts 46 minutes later, blocking two more grabs worth $100 million. But damage spread fast.
The thief didn’t dump. Smart. They pledged $200 million rsETH as collateral on Aave V3. Borrowed $236 million in WETH and wstETH across Ethereum and Arbitrum. High loan-to-value ratios—93% on Aave—amplified the hit. Positions now underwater. Unliquidatable bad debt: $124 million if spread evenly, up to $230 million isolated to L2s, per Aave’s LlamaRisk analysis.
Aave reacted. Emergency Guardian froze rsETH, wrsETH, and WETH markets everywhere. WETH utilization spiked to 100%. No withdrawals possible. Depositors panicked. $9 billion fled the top DeFi lender. Total value locked plunged from $26.4 billion to $17.9 billion. DeFi TVL overall shed $15 billion, Bloomberg details.
Justin Sun alone yanked 65,584 ETH, $154 million. Interest rates soared to 15%. Looping trades—leveraged positions piling yields—unraveled. “A lot of the looping blew up,” says Nico Lai, Morpho trader known as @nicoypei. “They want to get out or unwind their position… But the problem is that they can’t right now,” he told The Information.
Borrowers trapped. Lenders stuck. “Basically, lenders are stuck in these loan positions where they can’t call back any of their principal value or withdraw liquidity,” warns @0xMether. Aave lost its top TVL spot. Contagion hit SparkLend, Fluid, Upshift, Compound, Euler—all froze rsETH. Lido paused earnETH deposits. Ethena halted LayerZero bridges. Pendle, Yearn, Beefy followed suit.
And the attacker? Cashed out to 75,700 ETH on Ethereum, 30,765 on Arbitrum. Arbitrum’s council seized the latter—$71 million frozen via governance upgrade. North Korea’s Lazarus Group, TraderTraitor subunit, suspected. Same crew behind Drift, per LayerZero’s post-mortem.
Recovery brews. Aave’s $181 million treasury stands ready. Umbrella safety module holds $54 million, Ethereum-only. Ether.fi proposes 5,000 ETH for a relief fund. Lido, Ether.fi organizing. Kelp consulting lawyers on liability. LayerZero bans 1-of-1 verifiers now.
But questions linger. Why such high LTV on rsETH? Bridges remain DeFi’s weak link. Shared liquidity pools invite runs. Isolation modes, like Morpho’s, contained some damage. Still, $575 million stolen in 18 days. State actors accelerating with AI.
Aave channels partially thawed. Ethereum Core V3 WETH reopened at 0% LTV. Borrow rates cut on L2s. Health factors hover near 1.0 for big positions—$254 million, $169 million, $136 million debts at risk. One slip, liquidation cascade.
“When the biggest protocol is under duress, everyone is under duress,” says Inky Maze, @inkymaze. DeFi’s promise of frictionless money meets reality. Interoperability breeds contagion. Users fled to safer havens. TVL contraction signals caution.
BlockFills’ earlier bankruptcy—$100-500 million liabilities—foreshadowed lender woes. But Aave endures. Governance debates rage. Bad debt socialization or targeted hits? Ecosystem commits could cap losses at 60% covered.
Hacks evolve. RPC poisoning. Social engineering. No more simple bugs. Protocols tighten multisigs, verifiers, oracles. Yet trust in code collides with human ops. DeFi TVL dipped below $90 billion. Recovery hinges on coordination.
Short term: standstill. Long term: hardening. Aave users wait. Hackers launder. Markets watch.
WebProNews is an iEntry Publication