The Day a $292M KelpDAO Bridge Exploit Turned Into a $14B DeFi Stress Test
On April 18–19, an attacker drained 116,500 rsETH from Kelp
DAO’s LayerZero-based bridge, roughly 18% of the token’s supply and about
$292–293 million at the time. The bridge held reserves backing rsETH on more
than 20 networks, so the exploit instantly created doubts about whether wrapped
rsETH on those chains still had real backing behind it.
Singapore Summit: Meet the largest APAC brokers you know (and those you still don’t!)
According to DeFiLlama data, the Kelp DAO exploit landed in a market that was already near the psychological $100 billion milestone for total value locked, and it erased almost $14 billion from that figure within a day. Between April 18 and 19, DeFi’s aggregate TVL fell from about $99.5 billion to roughly $85.21 billion.
The technical root cause looks simple on paper: Kelp ran a 1‑of‑1
verifier configuration for LayerZero’s
Decentralized Verifier Network. Only one verifier needed to sign off on cross‑chain
messages, so once the attacker controlled that view of the world, they
effectively controlled the bridge.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
— Arbitrum (@arbitrum) April 21, 2026
According to several post‑mortems,
the attacker compromised two RPC nodes that fed data to the verifier and then
used a DDoS attack to knock clean nodes offline, forcing a failover to their
poisoned infrastructure. From there, they injected a forged cross‑chain
message that tricked the system into releasing 116,500 rsETH to their address,
all without breaking a single line of on‑chain code.
Read more: If DeFi Had This in 2022, Maybe It Wouldn’t Have Collapsed
From an analytical standpoint, this hack sits in the same
family as earlier bridge failures such as Ronin and Nomad, where central
checkpoints and initialization assumptions became high‑value
targets. The common pattern is not a single vulnerable contract but an
architecture that treats critical verification as a convenience feature rather
than a hardened security boundary.
Source: DefiLlama
Lending Models Under Pressure
The story did not end at the bridge. The attacker rapidly
moved the stolen rsETH into Aave as collateral and borrowed large amounts of
ETH against it, while opening positions on other lending markets.
Investors reacted quickly. On‑chain data and market reports show
that more than $5.4 billion exited Aave in short order as users reduced risk,
with total value locked dropping even more sharply over 48 hours.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
ETH
utilization on Aave briefly spiked to 100%, and AAVE’s
token price fell around 10% as traders priced in both the immediate hole and
future governance decisions around recapitalization. From a market‑structure
perspective, this looks less like a one‑off exploit and more like a stress
test of the non‑isolated lending model where one asset’s failure can
ripple across an entire pool.
He pointed to Aave v4’s
planned “hub‑and‑spoke”
architecture—closer to semi‑isolated
markets—as a potential compromise between
composability and safety. The underlying analytical point is that lending
protocols may no longer afford to assume that all whitelisted collateral assets
share roughly the same risk profile, especially when some sit on complex, cross‑chain
restaking rails.
A Security Reckoning in an AI Age
The Kelp DAO exploit lands in a month where crypto platforms
have already lost hundreds of millions of dollars to hacks, piling onto a multi‑year
trend of bridge‑centric incidents.
Whether or not AI played a direct role
in this particular hack, the pattern of rapid, multi‑venue attacks
suggests defenders can no longer rely on slow human review and ad‑hoc
configuration choices to keep up. For DeFi builders, the practical takeaway is
less about any single tool and more about assuming that motivated attackers can
see the system almost as clearly as its designers.
UPDATE: 🚨 The Kelp DAO exploiter has moved about $175 million in ETH to fresh wallets after Arbitrum froze $71 million tied to the hack. https://t.co/xj2Srjob0I pic.twitter.com/GjlFXnE6cH
— CoinMarketCap (@CoinMarketCap) April 21, 2026
The public blame game between Kelp DAO and LayerZero
underscores another uncomfortable reality: responsibility for security in
composable finance is shared, but accountability often fragments once something
breaks.
Kelp says it followed LayerZero’s defaults and common practice;
LayerZero says it warned against single‑verifier setups and now promises
to stop signing messages for such configurations. For users and institutional
participants, this dispute matters less than the broader lesson: default
settings on critical infrastructure are de facto risk decisions, not neutral
technical details.
On April 18–19, an attacker drained 116,500 rsETH from Kelp
DAO’s LayerZero-based bridge, roughly 18% of the token’s supply and about
$292–293 million at the time. The bridge held reserves backing rsETH on more
than 20 networks, so the exploit instantly created doubts about whether wrapped
rsETH on those chains still had real backing behind it.
Singapore Summit: Meet the largest APAC brokers you know (and those you still don’t!)
According to DeFiLlama data, the Kelp DAO exploit landed in a market that was already near the psychological $100 billion milestone for total value locked, and it erased almost $14 billion from that figure within a day. Between April 18 and 19, DeFi’s aggregate TVL fell from about $99.5 billion to roughly $85.21 billion.
The technical root cause looks simple on paper: Kelp ran a 1‑of‑1
verifier configuration for LayerZero’s
Decentralized Verifier Network. Only one verifier needed to sign off on cross‑chain
messages, so once the attacker controlled that view of the world, they
effectively controlled the bridge.
The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,…
— Arbitrum (@arbitrum) April 21, 2026
According to several post‑mortems,
the attacker compromised two RPC nodes that fed data to the verifier and then
used a DDoS attack to knock clean nodes offline, forcing a failover to their
poisoned infrastructure. From there, they injected a forged cross‑chain
message that tricked the system into releasing 116,500 rsETH to their address,
all without breaking a single line of on‑chain code.
Read more: If DeFi Had This in 2022, Maybe It Wouldn’t Have Collapsed
From an analytical standpoint, this hack sits in the same
family as earlier bridge failures such as Ronin and Nomad, where central
checkpoints and initialization assumptions became high‑value
targets. The common pattern is not a single vulnerable contract but an
architecture that treats critical verification as a convenience feature rather
than a hardened security boundary.
Source: DefiLlama
Lending Models Under Pressure
The story did not end at the bridge. The attacker rapidly
moved the stolen rsETH into Aave as collateral and borrowed large amounts of
ETH against it, while opening positions on other lending markets.
Investors reacted quickly. On‑chain data and market reports show
that more than $5.4 billion exited Aave in short order as users reduced risk,
with total value locked dropping even more sharply over 48 hours.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
ETH
utilization on Aave briefly spiked to 100%, and AAVE’s
token price fell around 10% as traders priced in both the immediate hole and
future governance decisions around recapitalization. From a market‑structure
perspective, this looks less like a one‑off exploit and more like a stress
test of the non‑isolated lending model where one asset’s failure can
ripple across an entire pool.
He pointed to Aave v4’s
planned “hub‑and‑spoke”
architecture—closer to semi‑isolated
markets—as a potential compromise between
composability and safety. The underlying analytical point is that lending
protocols may no longer afford to assume that all whitelisted collateral assets
share roughly the same risk profile, especially when some sit on complex, cross‑chain
restaking rails.
A Security Reckoning in an AI Age
The Kelp DAO exploit lands in a month where crypto platforms
have already lost hundreds of millions of dollars to hacks, piling onto a multi‑year
trend of bridge‑centric incidents.
Whether or not AI played a direct role
in this particular hack, the pattern of rapid, multi‑venue attacks
suggests defenders can no longer rely on slow human review and ad‑hoc
configuration choices to keep up. For DeFi builders, the practical takeaway is
less about any single tool and more about assuming that motivated attackers can
see the system almost as clearly as its designers.
UPDATE: 🚨 The Kelp DAO exploiter has moved about $175 million in ETH to fresh wallets after Arbitrum froze $71 million tied to the hack. https://t.co/xj2Srjob0I pic.twitter.com/GjlFXnE6cH
— CoinMarketCap (@CoinMarketCap) April 21, 2026
The public blame game between Kelp DAO and LayerZero
underscores another uncomfortable reality: responsibility for security in
composable finance is shared, but accountability often fragments once something
breaks.
Kelp says it followed LayerZero’s defaults and common practice;
LayerZero says it warned against single‑verifier setups and now promises
to stop signing messages for such configurations. For users and institutional
participants, this dispute matters less than the broader lesson: default
settings on critical infrastructure are de facto risk decisions, not neutral
technical details.
