KelpDAO’s
$293M Bridge
Hack Left
Aave Holding
the Bag
How attackers forged a LayerZero message to drain KelpDAO’s rsETH bridge in 46 minutes, deposited unbacked tokens into Aave as collateral, borrowed $293M in real WETH — and left Aave with $196M in bad debt, a $13B TVL wipeout, and a governance crisis it is still fighting through today.
On the afternoon of Saturday, April 18, 2026, a single wallet — funded through Tornado Cash to obscure its origins — quietly positioned itself at the threshold of Kelp DAO’s cross-chain bridge. What followed in the next 46 minutes rewrote the record books for DeFi exploits, drained nearly a fifth of an entire liquid restaking token’s circulating supply, and left the largest lending protocol in decentralized finance grappling with close to $200 million in irrecoverable bad debt.
The attack on Kelp DAO is not simply the year’s biggest hack by dollar value. It is a masterclass in how interconnected DeFi infrastructure transforms a single vulnerability into a multi-protocol catastrophe — and a sobering reminder that the composability that makes DeFi powerful is also what makes it catastrophically fragile.
Understanding the Target: Kelp DAO and rsETH
To understand what happened, it helps to understand what Kelp DAO actually is. Kelp is a liquid restaking protocol operating under the KernelDAO umbrella. Users deposit established, already-staked Ether derivatives — tokens like stETH or cbETH — into Kelp’s adapter contracts. In return, they receive rsETH, a “receipt” token that earns staking and restaking yield through EigenLayer while remaining liquid and tradeable.
That liquidity is the key. Because rsETH represents real, yield-bearing ETH, it was accepted as collateral by nearly every major DeFi lending protocol, including Aave, SparkLend, Compound, and Euler. Billions of dollars in DeFi value rested on the implicit assumption that rsETH was, and would remain, fully backed by real assets.
To operate across Ethereum’s ever-expanding ecosystem of Layer 2 networks, Kelp relied on a LayerZero-powered Omnichain Fungible Token bridge — a cross-chain messaging system designed to confirm and relay valid transfer instructions between networks. This bridge held reserves backing rsETH across more than 20 separate blockchain networks. It was the protocol’s connective tissue. It was also its most exposed attack surface.
The Attack: A Forged Message, a Minted Fortune
Phase I — Spoofing the Bridge
Blockchain investigators, including the on-chain sleuth ZachXBT who first publicly flagged the outflow at approximately 14:52 New York time, quickly established the mechanics. The attacker did not steal private keys. They did not drain a smart contract through a reentrancy flaw. Instead, they exploited a critical vulnerability in rsETH’s bridge minting logic — specifically in the LayerZero Omnichain Fungible Token contract — by feeding the bridge a forged cross-chain instruction.
The message appeared to the bridge as a valid, legitimate transfer request arriving from another chain. The bridge’s validation layer — the system designed to confirm that a matching inbound transfer existed to anchor any mint — was fooled. It released 116,500 rsETH, worth approximately $292–$294 million at prevailing prices, to an address controlled by the attacker. No corresponding collateral existed. The tokens were, in effect, printed from nothing.
Phase II — Weaponizing DeFi’s Composability
The second phase of the attack was arguably more damaging than the first. The stolen rsETH did not simply sit idle in the attacker’s wallet. Having minted 116,500 tokens backed by nothing, the attacker turned immediately to DeFi’s lending markets — the very infrastructure that had accepted rsETH as a trusted collateral asset.
The attacker deposited the drained rsETH into Aave V3 as collateral and borrowed substantial volumes of Wrapped Ether against it. The same playbook was executed across Compound V3 and Euler. By the time Kelp’s emergency pause function fired — 46 minutes after the first successful drain — the attacker had already built more than $236 million in debt positions. On-chain data shows the attacker consolidated around 74,000 ETH post-exploit, extracting over $280 million in actual borrowed value.
Because the rsETH collateral backing those loans was no longer worth anything — the tokens were unbacked fabrications — the resulting debt positions are effectively unliquidatable. No liquidation bot can clear a position where the collateral has no real value. The bad debt simply sits on the protocol’s books, a permanent liability.
In DeFi lending, liquidations work by allowing third-party bots to repay an undercollateralized loan in exchange for seizing the collateral at a discount. This mechanism only functions if the collateral has genuine market value. Because the rsETH deposited as collateral by the attacker was minted without real backing, it now trades at a severe discount to its supposed peg — meaning liquidators would seize worthless tokens. Aave’s WETH reserve is now carrying approximately $196 million in debt it cannot recover through any standard mechanism.
Aave: Collateral Damage at the Largest Lender in DeFi
Aave did nothing wrong in a narrow technical sense. Its smart contracts were not compromised. Its own code did not fail. Aave’s founder Stani Kulechov was quick to clarify this on X, noting the exploit was entirely external and that Aave’s protocol had not been breached. But that distinction — sound code, catastrophic exposure — is precisely what makes the Kelp incident so instructive about the systemic risks embedded in modern DeFi.
Aave is the largest lending protocol in the ecosystem by total value locked, with over $26 billion deposited as of April 18. Ethereum alone holds $14.24 billion of the $17.82 billion in outstanding borrows across Aave’s 22-chain lending book. WETH — the exact asset the attacker borrowed — constitutes 39.49% of all loans on the protocol. The attack landed on the precise collateral-to-WETH pair that dominates Aave’s entire book.
The consequences were immediate and severe. Aave’s total value locked collapsed from $26.4 billion on April 18 to nearly $20 billion by Sunday morning — a $6.6 billion drop in under 24 hours, as depositors rushed to withdraw and the market priced in potential bad debt. The AAVE governance token fell approximately 16% over the same period.
Aave froze rsETH markets on both V3 and V4 within hours of the exploit. Initially, the protocol stated that its “Umbrella” reserve — a dedicated safety module designed to backstop bad debt scenarios — would cover any deficit. By Saturday evening, that language had softened considerably, with the team acknowledging they would “explore paths to offset the deficit.” The Umbrella reserve may not be large enough to cover the full $196 million shortfall, raising the prospect that staked AAVE token holders — who bear losses as a last resort — could face dilution.
Contagion Across the Ecosystem
The freeze cascade extended far beyond Aave. SparkLend halted its rsETH markets. Fluid froze rsETH collateral positions. Lido Finance paused further deposits into its earnETH product, which carries rsETH exposure, while carefully clarifying that its core stETH and wstETH products were entirely unaffected. Ethena, despite having no rsETH exposure, temporarily paused its own LayerZero OFT bridges as a precaution while the root cause was being identified — a bridge pause lasting roughly six hours.
The broader market impact was swift. Staked ETH derivatives stETH and wstETH fell approximately 4% as investors processed the news. rsETH itself broke sharply from its ETH peg as holders on more than 20 Layer 2 networks faced the prospect that the token’s reserve backing may have been permanently impaired. The question of whether rsETH holders on non-Ethereum networks can be made whole remains, as of publication, entirely unresolved.
The Broader Context: A DeFi Sector Under Siege
The KelpDAO exploit did not occur in isolation. It is the headline event in what security researchers are increasingly describing as a structural shift in how DeFi is being attacked. The Kelp incident cements 2026 as the worst year on record for DeFi security by cumulative losses. By mid-April, total losses across the sector had crossed $482 million across approximately 45 protocols — and this was before the KelpDAO drain was added to the tally.
The prior record holder for 2026’s largest exploit was the Drift Protocol attack on April 1, which cost the Solana-based perpetual futures exchange $285 million. In that case, attackers used social engineering to manipulate Security Council members into pre-signing transactions using Solana’s durable nonces feature — gaining administrative control and withdrawing real USDC and SOL within 12 minutes. Authorities later linked the attack to North Korea-affiliated actors.
Other notable incidents from the same 20-day period include: a domain hijacking attack on DEX aggregator CoW Swap ($1.2 million, April 14), a flash loan manipulation on Binance Smart Chain ($1.6 million), an oracle misconfiguration exploit targeting Silo Finance ($392,000, April 3), and a smart contract bug in bridge aggregator Dango ($410,000). Security firm Cyvers confirmed the Kelp attacker’s initial wallet was funded through Tornado Cash, the on-chain coin mixer, to cover gas fees and obscure origins.
What the incidents collectively illustrate is a profound evolution in attack vectors. Pure smart contract code exploits — the reentrancy bugs and integer overflow vulnerabilities of earlier DeFi eras — are no longer the dominant threat. Infrastructure-level attacks, including private key compromise, social engineering, compromised frontends, and cross-chain bridge manipulation, accounted for approximately 76% of losses in early 2026. AI-assisted phishing campaigns have reportedly scaled by an estimated 500% compared to the same period in 2025.
What This Means for Restaking and the Future of DeFi Collateral
The Kelp incident forces a reckoning with one of the most consequential decisions lending protocols made over the past two years: the wholesale acceptance of liquid restaking tokens as blue-chip collateral. rsETH, along with tokens from Ether.fi, Renzo, and Puffer, flooded into DeFi’s collateral frameworks because they represented real, yield-generating ETH — and because the restaking sector was growing at extraordinary speed, with EigenLayer attracting billions in deposits.
The implicit assumption in every risk model that whitelisted these tokens was that the peg would hold. That the backing would remain intact. That there would be no bridge failure, no minting exploit, no sudden decoupling between the receipt token and the real assets it was supposed to represent. The KelpDAO incident has now demonstrated that this assumption was not merely optimistic — it was catastrophically fragile, and it was exposed not by some exotic new vulnerability but by a forged message on a cross-chain bridge.
Cyvers CEO Deddy Lavid summarized the structural exposure bluntly: the incident shows the risks of composability in DeFi, where protocols are deeply connected. When a token’s backing collapses on one part of the infrastructure, every protocol that accepted it as collateral absorbs the impact — whether or not their own code was sound.
The immediate aftermath will likely include substantially tighter risk parameters for liquid restaking token collateral across major lending platforms, accelerated bridge security audits across the LRT ecosystem, and a broader industry debate about whether restaked Ether of any variety should be classified as equivalent to ETH itself for collateral purposes. KelpDAO has indicated it is working with LayerZero, its auditors, and external security researchers on a root cause analysis. As of publication, the exact mechanism by which the bridge’s validation logic was bypassed has not been publicly disclosed.
What Happens Next
For rsETH holders, the central question is redemption. With 116,500 tokens — 18% of total circulating supply — now unbacked, and with reserves previously held by the bridge now gone, the protocol faces a fundamental solvency challenge on its Layer 2 deployments. KelpDAO has deployed a temporary v2 pool for affected holders, though the economics of any recovery plan remain unclear.
For Aave, the path forward hinges on whether the Umbrella reserve can absorb the shortfall, whether the DAO votes to use treasury resources to offset remaining bad debt, or whether staked AAVE holders face dilution. The $6.6 billion TVL collapse may prove transitory if the protocol’s response is decisive; a prolonged period of uncertainty would be more damaging.
For the DeFi ecosystem broadly, the KelpDAO hack will be studied for years — not as an anomaly, but as a case study in how the sector’s greatest strength, the open, permissionless composability that allows protocols to build on each other, is also its deepest structural vulnerability. Until cross-chain bridges can be made reliably trustless, and until collateral risk frameworks account for the possibility that a token’s backing can evaporate in under an hour, no risk model in DeFi is complete.
Update: April 20, 2026
Lazarus Group Attribution — North Korea Linked to the Attack
In the most significant development since the initial drain, LayerZero published a detailed post-mortem on April 20 shifting both the technical blame and the threat attribution squarely onto the record. LayerZero concluded the exploit stemmed entirely from Kelp’s own security choices — specifically its decision to run a 1-of-1 verifier configuration on its LayerZero bridge, meaning LayerZero Labs was the sole entity responsible for verifying cross-chain messages to and from the rsETH bridge. LayerZero’s public integration documentation and direct communications to Kelp had explicitly recommended a multi-verifier setup with redundancy, requiring consensus across several independent verifiers to confirm any message. Kelp did not implement this recommendation.
The mechanics of the attack, as LayerZero’s traffic logs now reveal, involved compromising two RPC nodes and deploying a distributed denial-of-service attack between 10:20 a.m. and 11:40 a.m. Pacific Time on Saturday. The DDoS forced a failover in the bridge’s infrastructure. Once that failover triggered, the compromised nodes told the sole verifier that a valid cross-chain message had arrived — and Kelp’s bridge released the 116,500 rsETH. The malicious node software then self-destructed, wiping binaries and local logs to complicate forensic analysis. LayerZero has stated it will no longer sign messages for any project still running a 1-of-1 verifier configuration.
LayerZero’s post-mortem preliminarily attributes the attack to North Korea’s Lazarus Group — the same state-sponsored unit linked to the Drift Protocol exploit on April 1. If confirmed, Lazarus will have drained more than $575 million from DeFi in 18 days through two structurally different attack vectors: social engineering governance signers at Drift, and poisoning infrastructure RPCs at Kelp. The group appears to be adapting its playbook faster than DeFi protocols are hardening their defenses.
Aave’s Liquidity Crisis Deepens
What began as a bad debt problem has compounded into a full liquidity crisis. In the 48 hours following the exploit, Aave suffered $8.45 billion in total deposit outflows, driving the broader DeFi ecosystem’s total value locked down by $13.21 billion. The panic was not limited to rsETH holders — whales with unrelated positions fled the protocol en masse, pushing Aave’s ETH and WETH pools to 100% utilization.
When a lending pool reaches 100% utilization, withdrawals stop working. Every dollar deposited is already borrowed, leaving no idle liquidity for suppliers to redeem against. Depositors with USDT, USDC, and WETH positions found themselves trapped — unable to exit even though their assets had no direct rsETH exposure whatsoever. In a desperate secondary market response, some stranded users borrowed against their own locked stablecoin deposits at steep losses, accepting roughly 75 cents on the dollar just to extract any liquidity at all. Analysts at Spark estimated this dynamic drove a $300 million borrowing spike in USDT-collateralized positions in a single day.
A post on the Aave governance forum by a community member captured the mounting urgency around one underappreciated dimension: the bad debt is denominated in ETH, not dollars. The attacker borrowed approximately 126,000 ETH using the stolen rsETH as collateral. That debt is fixed in ETH terms. Aave’s Umbrella backstop and treasury reserves, however, are denominated in stablecoins. Every hour ETH price appreciates, the real cost of the shortfall grows — making speed of governance response a direct financial variable.
The Umbrella Gap and Governance Response
Aave’s Umbrella safety module — an automated backstop funded by protocol revenue and staked deposits — was designed for exactly this scenario. The mechanism allows staked aTokens to be slashed and burned to offset confirmed bad debt without requiring a governance vote, providing automated coverage. The problem is scale: as of mid-April 2026, the Umbrella reserve held an estimated $80–$100 million in assets, against a bad debt exposure of $196 million. The shortfall of roughly $96–$116 million cannot be covered automatically and will require explicit governance decisions.
The recovery waterfall, as described by The Defiant, runs in the following order: aWETH Umbrella stakers absorb the first slice via automatic slashing; WETH suppliers take a pro-rata haircut on remaining deposits; stkAAVE holders face potential governance-activated slashing for the next tranche; and finally the DAO treasury could fund a broader repayment proposal. None of these outcomes are comfortable. A governance proposal to slash a percentage of staked AAVE is being actively discussed, and stkAAVE holders are already pricing that risk.
On the governance front, the Aave Chan Initiative moved swiftly, announcing it was ending its Frontier staking program immediately in response to the wETH shortfall risk. Aave V4’s Security Council separately disabled supply and borrow on both the Core Hub and the Kelp E-Spoke, while a Risk Stewards proposal to reduce the WETH Slope1 — aimed at pulling new supply back into the pools — went live. A damaging governance detail also emerged: a proposal in January 2026 had raised the rsETH loan-to-value ratio to 93%, apparently without adequate bridge risk assessment, significantly amplifying the scale of the resulting bad debt.
Aave founder Stani Kulechov has maintained publicly that the protocol operated as designed and that its own contracts were not compromised. That distinction is technically accurate. But as one market observer noted: the risk models priced rsETH as if it would hold peg under normal conditions. None of them priced the scenario where the collateral goes to zero because a bridge on a chain Aave does not control gets poisoned on a Saturday afternoon.
This article was originally compiled from on-chain data, blockchain investigator reports, and protocol statements published April 18–19, 2026, and updated on April 20, 2026 with new developments including LayerZero’s post-mortem, Lazarus Group attribution, and Aave’s ongoing liquidity and governance response. The situation remains active. Figures cited reflect best available reporting at time of each update.
