Kelp DAO Hit by $292M Bridge Exploit: Largest DeFi Hack of 2026 Explained

On April 19, 2026, at 17:35 UTC, Ethereum's Liquid Restaking protocol Kelp DAO suffered the most severe DeFi security attack of 2026. An attacker exploited a vulnerability in LayerZero's cross-chain messaging mechanism, draining 116,500 rsETH from Kelp's bridge—approximately $292 million, representing about 18% of rsETH's circulating supply.

This attack surpasses early April's Drift Protocol incident ($285M), making it the largest DeFi exploit of 2026 to date. The breach triggered a chain reaction, forcing major DeFi lending protocols including Aave, SparkLend, and Fluid to freeze affected markets.

Timeline of Events

Let's review the complete timeline of this attack:

Pre-Attack Preparation

Hours before the attack, the attacker pre-funded 6 wallet addresses through Tornado Cash mixer. This is a common pre-attack operation used to obscure the source of funds.

Attack Execution (17:35 UTC)

The attacker sent a forged cross-chain message to Kelp's LayerZero bridge. This message tricked LayerZero's messaging layer into believing it was a valid instruction from another network. The system incorrectly validated this message, triggering the bridge contract to release 116,500 rsETH to an attacker-controlled address.

Alert Issued (17:50 UTC)

Renowned on-chain investigator ZachXBT first raised the alarm on Telegram, identifying 6 wallet addresses linked to the attacker. News spread rapidly through the crypto community.

Protocol Frozen (18:21 UTC)

Kelp DAO's emergency pause multisig froze the protocol's core contracts 46 minutes after the attack. Notably, the attacker made two additional attempts at 18:26 and 18:28 UTC, trying to steal another 40,000 rsETH (~$100M), but both transactions reverted as contracts were already frozen.

Chain Reaction

Within hours of the incident, multiple major DeFi protocols took emergency measures:

• Aave: Froze rsETH markets on V3 and V4
• SparkLend: Froze rsETH markets
• Fluid: Froze rsETH markets
• Lido Finance: Paused deposits to earnETH product (which has rsETH exposure)
• Ethena: Precautionary pause of LayerZero OFT bridges

Deep Dive: Attack Methodology

LayerZero Message Forgery

The core of this attack lies in the attacker successfully forging a "legitimate" LayerZero cross-chain message. LayerZero is a universal cross-chain messaging protocol that allows arbitrary data and instructions to be passed between different blockchains.

Under normal circumstances, when a user wants to bridge rsETH from Ethereum to a Layer 2 network:

1. User deposits rsETH on the source chain (Ethereum)
2. LayerZero's oracles and relayers verify the transaction
3. The destination chain receives the verified message and mints corresponding rsETH

The attacker bypassed this process by directly sending a forged message to the bridge, claiming that "someone on a Layer 2 chain wants to redeem 116,500 rsETH." Due to a vulnerability in the verification mechanism, this forged message was accepted by the system, causing the bridge contract to release real rsETH.

Why "18% of Circulating Supply"?

rsETH is a Liquid Restaking Token (LRT) issued by Kelp DAO, representing ETH staked by users on EigenLayer. According to pre-attack data, rsETH had a circulating supply of approximately 630,000 tokens. The 116,500 rsETH stolen by the attacker represents about 18% of total circulation—a staggering proportion.

Structural Risk of Cross-Chain Assets

This attack exposed a fundamental issue with cross-chain assets: Do tokens on Layer 2 have sufficient underlying reserves?

rsETH is deployed across more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle, and Scroll. These Layer 2 rsETH tokens are essentially "wrapped versions," their value dependent on real rsETH held in the bridge contract on Ethereum mainnet.

When the attacker drained the bridge contract's reserves, these Layer 2 rsETH tokens lost their underlying backing—holders now face the question: Is there anything underneath their tokens?

Collateral Damage to Aave

This attack caused severe collateral damage to Aave, representing the most concerning systemic risk of the entire incident.

How Bad Debt Was Created

1. Collateral Deposit: The attacker deposited some stolen rsETH into Aave V3 as collateral
2. Borrowing: Used this collateral to borrow other assets (WETH, stablecoins)
3. Collateral Devaluation: As rsETH's value became uncertain, the collateral's value potentially dropped significantly
4. Bad Debt Formation: If collateral value falls below borrowed value, bad debt is created

According to reports, Aave incurred approximately $196 million in bad debt, concentrated mainly in the rsETH-WETH pair.

Market Impact

Following the incident:

• Aave's TVL (Total Value Locked) dropped by approximately $6.6 billion
• AAVE token price fell 16%
• Aave founder Stani Kulechov confirmed the attack was external and Aave's contracts were not compromised

Affected Protocols and Assets

Directly Affected

Precautionary Measures

Unaffected

• stETH / wstETH: Lido confirmed these assets are unaffected
• Other LRT protocols: Such as EtherFi's eETH, no reported impact so far

Risks for Layer 2 Users

If you hold rsETH on any Layer 2 network, you face the greatest risk. Here's the situation across major Layer 2s:

High-Risk Layer 2s

rsETH underlying reserves have been drained on the following networks:

• Arbitrum
• Base
• Linea
• Blast
• Mantle
• Scroll
• And 14+ other networks

What Should You Do?

1. Don't panic sell: Selling during liquidity drought may cause greater losses
2. Monitor official announcements: Kelp DAO may release compensation plans or recovery solutions
3. Document your holdings: Save transaction records, wallet screenshots for potential future compensation claims
4. Assess your exposure: Calculate what percentage rsETH represents of your total portfolio

Security Lessons and Protection Tips

This incident brings several important security lessons:

Systemic Risk of Cross-Chain Bridges

Cross-chain bridges have consistently been a weak point in DeFi security. From 2022's Ronin Bridge ($625M) to Wormhole ($320M), and now Kelp DAO, bridges have become primary targets for hackers.

Complexity Risk of LRTs

Liquid Restaking Tokens (LRTs) are relatively new DeFi products whose complexity introduces additional layers of risk:

• Base layer: ETH staking
• Second layer: EigenLayer restaking
• Third layer: LRT tokenization
• Top layer: Cross-chain wrapping

Each layer adds potential risk points.

Cascading Risk of Protocol Interconnectivity

Aave's losses remind us: DeFi protocol interconnectivity is a double-edged sword. A security incident in one protocol can rapidly propagate throughout the entire ecosystem.

Practical Security Recommendations

1. Diversify risk: Don't put large amounts in a single protocol or asset type
2. Understand underlying risks: Before using complex products like LRTs, understand their mechanisms and risks
3. Set exposure limits: Define maximum investment percentages for any single protocol or asset
4. Follow security alerts: Track warnings from security researchers like ZachXBT and SlowMist
5. Regularly check approvals: Use Revoke.cash to revoke unnecessary token approvals

Developments to Watch

Fund Tracking

According to on-chain data, the attacker has begun moving stolen funds. Some funds may be laundered through mixers like Tornado Cash, making recovery unlikely.

Potential Compensation Plans

Kelp DAO has not yet announced specific compensation plans. Based on historical cases:

• Some protocols use treasury funds to compensate users
• Some protocols issue "IOU tokens" promising future compensation
• Some protocols use community governance to decide on solutions

LayerZero's Responsibility

As the provider of the cross-chain messaging layer, LayerZero's role in this incident warrants attention. While the vulnerability may lie in Kelp's bridge contract implementation, why LayerZero's verification mechanism failed to prevent this attack requires further investigation.

Conclusion

Kelp DAO's $292 million exploit once again reminds us that security risks in DeFi are ubiquitous. Cross-chain bridges, as critical infrastructure connecting different blockchains, directly impact the entire ecosystem's security.

For regular users, the key takeaways are:

• Understand the products you invest in and their risks
• Diversify investments to avoid over-concentration
• Stay vigilant and follow security alerts
• Prepare for the worst, but don't panic

DeFi innovation brings unprecedented financial freedom, but this freedom comes with corresponding responsibility. Protecting your own assets is every participant's primary task.