An attacker drained approximately $293 million from Kelp DAO’s cross-chain bridge on April 18, 2026, exploiting a vulnerability in the protocol’s integration with LayerZero’s messaging infrastructure to forge a cross-chain transaction that released 116,500 rsETH — roughly 18% of the token’s entire circulating supply — without any corresponding deposit on the other side.
The exploit is the largest DeFi hack of 2026 to date, overtaking the $285 million Drift Protocol breach on April 1. LayerZero has preliminarily attributed the attack to North Korea’s Lazarus Group and its TraderTraitor subunit — the same state-sponsored operation behind the $1.5 billion Bybit hack in February 2025 and the Ronin Bridge theft in 2022. If the attribution holds, Lazarus has drained over $575 million from DeFi in 18 days through two structurally different attack vectors.
How the attack worked
Kelp DAO is a liquid restaking protocol: users deposit ETH, Kelp routes it through EigenLayer to earn additional yield, and issues rsETH as a tradeable receipt. Because rsETH is deployed across more than 20 blockchain networks — Arbitrum, Base, Linea, Blast, Mantle, Scroll, and others — Kelp uses a LayerZero-powered bridge to move the token between chains. The bridge holds the reserve of rsETH that backs wrapped versions on every layer-2 network.
The attacker compromised two of the remote procedure call (RPC) nodes that LayerZero’s Decentralised Verifier Network (DVN) relied on to confirm cross-chain transactions. According to LayerZero’s account, the attackers replaced the binary software on the compromised nodes with malicious versions that reported fraudulent data to LayerZero’s verifier while continuing to serve accurate data to every other system — a technique designed to keep the manipulation invisible to monitoring infrastructure.
Compromising two nodes alone was not enough. The attackers simultaneously launched a DDoS attack against LayerZero’s other RPC endpoints, forcing the system to fail over to the poisoned nodes. Once the failover triggered, the verifier approved a forged cross-chain message instructing Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.
The attack succeeded because of a critical configuration choice by Kelp DAO: the protocol ran a 1-of-1 DVN configuration, meaning LayerZero Labs was the sole verifier. Under this setup, poisoning one verifier’s data feed was sufficient to forge a valid message. LayerZero stated that it had repeatedly recommended a multi-verifier configuration with redundancy, which would have required consensus across several independent verifiers and rendered the attack ineffective.
Kelp’s emergency multisig froze the protocol’s core contracts 46 minutes after the drain, at 18:21 UTC. Two follow-up attempts — each trying to extract an additional 40,000 rsETH (~$100 million) — reverted into the pause. As Cyvers CTO Meir Dolev noted, the protocol was “just three minutes away from losing an additional $100 million.”
The contagion
What made this exploit particularly destructive was not just the $293 million direct loss — it was the contagion.
rsETH is widely used as collateral across DeFi lending platforms. The attacker exploited this directly: rather than selling the stolen rsETH (which would have crashed the price and reduced the haul), the attacker deposited it into Aave V3 and V4 as collateral and borrowed approximately $236 million in real wrapped ETH against it. The borrowed WETH — backed by rsETH that had no legitimate underlying — was then withdrawn.
Aave, the largest DeFi lending protocol with over $20 billion in locked assets, froze its rsETH markets within hours. SparkLend and Fluid did the same. But the damage was already propagating. As The Defiant reported, WETH suppliers began racing to withdraw their own funds, triggering a bank-run dynamic. By Sunday morning, $5.4 billion in ETH and WETH had left Aave. Utilisation on key markets briefly hit levels that made new borrowing nearly impossible. Aave’s token dropped 20% during Asian trading hours.
The contagion extended further. Lido Earn paused deposits to its earnETH product, which had rsETH exposure. Ethena temporarily shut down its LayerZero bridges from Ethereum mainnet as a precaution, despite having no rsETH exposure. Cyvers estimated that at least nine protocols were directly affected.
Aave initially stated that its Umbrella safety module could offset any bad debt from the incident. It later revised that statement: “If the protocol accumulates bad debt from this incident, we’ll explore paths to offset the deficit.” The standalone bad-debt estimate for Aave V3 is approximately $177 million. Aave’s WETH reserve in Umbrella is approximately $50 million — a coverage ratio of less than 30%.
The blame game
LayerZero and Kelp DAO have offered markedly different framings of the incident.
LayerZero placed responsibility squarely on Kelp’s configuration choices, stating that the exploit stemmed from Kelp’s decision to run a 1-of-1 DVN — a single point of failure that LayerZero had explicitly warned against. LayerZero found no contagion to other applications using its messaging layer, noting that protocols running multi-verifier configurations were unaffected. It has announced it will no longer sign messages for any project using a 1-of-1 verifier configuration.
Kelp DAO has not yet publicly responded to LayerZero’s framing or explained why it operated a single-verifier setup despite the explicit recommendations against it. This is Kelp’s second security incident in a year — in April 2025, a fee contract bug caused excess token minting, though no user funds were lost.
What an investigator sees
This hack connects directly to the themes I have been writing about throughout 2025 and into 2026.
The attack vector — compromising infrastructure nodes to forge cross-chain messages — is a different technique from the Bybit hack (supply chain compromise of a wallet provider’s UI) and the Ronin Bridge hack (social engineering to obtain validator keys). But the structural pattern is identical: a system with nominal distribution of trust that, in practice, converges on a single point of failure. Ronin’s nine-of-nine collapsed to one-of-one through temporary key delegation. Bybit’s three-of-N collapsed through shared infrastructure dependency. Kelp’s DVN was explicitly configured as one-of-one.
The Lazarus Group — if the attribution holds — has now demonstrated three distinct attack methodologies against three distinct architectural targets across three years, adapting each time. The adversary is not repeating itself. It is evolving. And the crypto industry keeps providing single points of failure for it to exploit.
The contagion dimension is what I described in my article on what the next crypto collapse will look like: interconnected protocols using each other’s tokens as collateral, with no circuit breakers and no lender of last resort. When one token’s backing fails, the damage cascades through every protocol that accepted it. rsETH was treated as ETH-equivalent collateral across Aave, SparkLend, Fluid, and others — until it wasn’t. The $293 million exploit produced $5.4 billion in withdrawal pressure because the trust assumptions that underpinned rsETH’s collateral status were shared across the entire lending stack.
The 1-of-1 DVN configuration is the most troubling detail. This was not a sophisticated zero-day exploit against a novel cryptographic primitive. It was the exploitation of a configuration choice that the infrastructure provider had explicitly warned against. The question that regulators — and Kelp DAO’s own users — will ask is why the protocol chose a configuration with zero fault tolerance for a bridge holding $293 million in assets. The answer, when it comes, will likely involve cost, complexity, and the trade-off between operational simplicity and security that every DeFi protocol makes, often without adequate disclosure to the users who bear the risk.
Cumulative DeFi losses for 2026 now exceed $1 billion across approximately 45 protocols. April alone — Drift ($285M), Kelp ($293M), and a dozen smaller exploits — accounts for the majority. The MiCA framework I wrote about recently does not cover DeFi protocols, which operate outside its licensing perimeter. Whether that exclusion survives this quarter’s casualty list is a question European regulators will need to answer.