USD
Unbacked rsETH minted in cross-chain attack triggers wider DeFi fallout
TL;DR
- KelpDAO was exploited on April 18, 2026, through its LayerZero-powered cross-chain bridge, allowing unbacked rsETH to be minted and used on Aave.
- The attacker minted 116,500 rsETH worth about $294 million and borrowed 106,467 ETH (WETH) against it.
- Aave froze rsETH markets, multiple protocols paused related bridge activity, and DeFi TVL fell sharply after the attack.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
KelpDAO was exploited on April 18, 2026, in a bridge attack that allowed an attacker to mint unbacked rsETH and use it as collateral on Aave V3, creating the largest DeFi hack of 2026 and leaving Aave exposed to more than $236 million in bad debt.
KelpDAO, an Ethereum-based liquid restaking protocol with $1.57 billion in total value locked, was attacked through its LayerZero-powered cross-chain bridge, which moves rsETH across chains. Lookonchain said the attacker minted 116,500 rsETH, worth about $294 million, and immediately deposited the tokens into Aave V3 to borrow 106,467 ETH (WETH). Arkham confirmed the transaction trail and fund movements. Because the rsETH used as collateral was unbacked, the related Aave positions became effectively unliquidatable.
LayerZero said on April 20, 2026, that its DVN was hit by a “highly sophisticated attack” that was “specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions.” LayerZero added, “It was not done through an exploit to the protocol, DVN, key management, or other means.” Peter Chung, head of research at Presto Research, said early analysis indicated the issue may have originated in the verification layer rather than in smart contracts themselves.
KelpDAO paused the protocol within 46 minutes of the attack beginning, but the funds had already been moved. The protocol’s cross-chain footprint widened the potential blast radius because rsETH exists across more than 20 blockchains. Meir Dolev, Cyvers CTO and co-founder, said on April 19, 2026, that KelpDAO was three minutes away from losing an additional $100 million before a blacklist stopped a second attempt.
Bridge design and protocol response
Axelar Network said on April 19, 2026, that the breach was likely enabled by a single-validator configuration rather than a multi-validator setup. Katana paused its OFT path on Vaultbridge, which relied on a 2/3 DVN configuration, while bridging through Agglayer remained operational because it uses zero-knowledge proof verification rather than proof-of-authority multisigs. OneKey founder Yishi described the layered failure this way: “KelpDAO dismantled the lock on its own door, LayerZero is selling the kind of door where you can pick the lock yourself, and Aave assumed the neighbor's door was definitely locked tight.”
LayerZero Labs said preliminary indicators pointed to North Korea’s Lazarus Group, specifically the TraderTraitor subgroup, as the likely threat actor. LayerZero wrote: “On April 18, 2026, LayerZero Labs' DVN became the target of a highly sophisticated attack, likely attributable to the Lazarus Group, more specifically TraderTraitor.” US authorities had previously connected the Lazarus Group and TraderTraitor apparatus to the $1.5 billion Bybit hack in February 2025, while Chainalysis said North Korea-linked hackers stole a record $2.02 billion from crypto platforms in 2025, up 51% year over year.
Aave froze rsETH markets across V3 and V4 within hours. Aave founder Stani Kulechov wrote on April 18, 2026: “rsETH has been frozen on Aave V3 and V4, the asset does not have any borrowing power as a measure due to KelpDAO bridge exploit that happened outside of Aave. Both Aave V3 and V4 does not have further exposure to rsETH.” Aave also froze WETH reserves across Arbitrum, Base, Mantle, and Linea as a precaution. KelpDAO said it was working with LayerZero, auditors, and security experts to investigate the root cause.
Ethena said it had “no exposure to the rsETH exploit” but paused its LayerZero OFT bridges from Ethereum mainnet “out of an abundance of caution.” Lido Finance also paused related bridge activity. BitGo and BiT Global Trust took down the LayerZero OFT DVNs for Wrapped Bitcoin, with BitGo saying, “User funds remain secure and updates will be shared as more information becomes available.” Polygon said on April 19, 2026, that its chain, Agglayer, and broader ecosystem were unaffected and had safely processed over $2 trillion in transactions to date.
Tron founder Justin Sun publicly urged the attacker to negotiate. Sun wrote on April 19, 2026: “OK — Kelpdao hacker, how much you want? Let's just talk. With KelpDAO's help, of course. It's simply not worth it to sacrifice both Aave and KelpDAO and let them go down over this hack.”
Arkham showed that Sun withdrew 65,584 ETH, worth about $154 million, from Aave and deposited it into Spark. His remaining Aave exposure fell to $380 million while his Sky and Spark holdings rose to $2.13 billion.
TVL losses and token declines
Aave’s TVL fell about 18% to $17.8 billion within 24 hours and nearly 30% over seven days. At the low point, Aave’s TVL had dropped from $26.39 billion on April 18 to about $17.51 billion in under 48 hours. DeFi-wide TVL fell from $99.497 billion to $86.286 billion in less than two days, while Ethereum alone lost $10.34 billion in TVL and fell to about $46.16 billion. All top 20 DeFi chains posted net outflows, and total outflows topped $10 billion in the 24 hours after the attack.
Lookonchain said whales began selling AAVE after the exploit became public. Binance inflows rose above 236,000 AAVE, compared with a normal 31,000 average, and total exchange inflows crossed 355,000 AAVE, worth about $32 million. CryptoQuant data showed exchange reserves climbed past 180,000 tokens.
AAVE fell more than 20% in the first 24 hours and traded at about $92.06 in the immediate aftermath, while later COIN360 market data showed AAVE down about 2.5% over 24 hours and UNI and LINK each down less than 1%. LayerZero’s ZRO token fell more than 22% over 24 hours to about $1.52, down from above $2 two days earlier.
Onchain Lens data shared on X said a whale holding a ZRO long position on Hyperliquid lost $2.88 million in liquidation and was still sitting on another $750,000 in unrealized losses, for a total position loss of about 428.98 million units.
Peter Chung said the episode showed how interconnected DeFi protocols can transmit shocks beyond the initial point of failure. Ted Pillows wrote, “Every protocol is taking a hit now. Not a great 24 hours for crypto's image.”
Yishi said, “The best outcome is to negotiate with the hacker, offer a 10–15% bounty, get the bulk of it back.” He added that if talks fail, LayerZero should step in financially because it has “the deepest pockets and the most long-term skin in the game.” Yishi also said, “KelpDAO is the broke one here — either make it up with tokens + future revenue, or just package the whole project and sell it off to L0 or BMNR.” He warned, “WETH depositors absolutely cannot take a haircut,” because losses there could spread through Morpho, Spark, Fluid, and Euler. He added, “I believe Aave can weather this.”
Rate-limit proposals and April hack totals
The exploit renewed calls for built-in rate limits across bridges and lending systems. Ethena contributor Guy Young wrote: “We built a solution on top of the standard OFT to throttle cross chain transfers at $10m per hour for every DVN, in addition to the $10m per block rate limit on the mint contract. The former would have prevented Kelp, the latter Resolv.” That setup caps potential damage at $10 million per chain per hour even if a DVN is fully compromised.
Keone Hon, CEO and co-founder of Monad, argued that pooled lending protocols should use “smart caps” on how fast collateral supply can grow. He wrote on April 19, 2026: “Feels like pooled lending protocols would benefit from a rate limit on the supply of an asset being deposited for collateral. Like, if the current supply is 100m and the supply cap is 300m, the supply should only be allowed to go to 110m in the next 10 minutes. Nobody needs to…” Hon said that kind of control would have saved rsETH depositors $200 million in this case. He also pointed to the Resolv hack in March, where an attacker could mint infinite tokens but extracted only $24 million because exit pathways were constrained.
By April 20, 2026, crypto hack losses for the month had reached $606,215,950 across 12 incidents, making April the worst month for crypto exploits since February 2025, when the $1.4 billion Bybit breach pushed that month’s total to $1.466 billion. April’s total was nearly four times larger than the combined first-quarter figure of $165.5 million, made up of $100.1 million in January across 12 hacks, $24.2 million in February across 8 hacks, and $41.3 million in March across 15 hacks. KelpDAO at $292 million to $294 million and Drift Protocol at $285 million to $286 million accounted for about 95% of April’s losses and 75% of the 2026 year-to-date total of $771.8 million across 47 incidents. Monthly hack losses were up 1,368% from March, while incident frequency rose 68% year over year.
FAQ
What was exploited?
KelpDAO’s LayerZero-powered cross-chain bridge.
How were the borrowed funds obtained?
By using unbacked rsETH minted through forged cross-chain messages as Aave collateral.
Who did LayerZero say was likely behind the attack?
North Korea’s Lazarus Group, specifically the TraderTraitor subgroup.
What remains unresolved?
Whether negotiations, protocol support, or other recovery steps can restore most stolen funds.
This article has been refined and enhanced by ChatGPT.
