#KelpDAOBridgeHacked

2026’s Largest DeFi Exploit – Kelp DAO’s rsETH Bridge Drained of $292 Million
On April 18, 2026, at approximately 17:35 UTC, the liquidity restaking protocol Kelp DAO suffered a major security breach in its LayerZero-powered cross-chain bridge. The attacker successfully drained 116,500 rsETH (restaked Ether), valued at roughly $292–293 million. This amount represented approximately 18% of rsETH’s total circulating supply and stands as the largest DeFi hack recorded in 2026 so far.
How the Attack Unfolded
Kelp DAO’s rsETH bridge relied on LayerZero’s cross-chain messaging infrastructure, specifically the EndpointV2 contract, to enable seamless asset transfers across different blockchains. The attacker exploited this by calling the lzReceive function and injecting a forged cross-chain message. This manipulated message tricked the bridge’s verification logic into believing that legitimate funds had arrived from another network, causing the release of 116,500 rsETH directly to an attacker-controlled address.
The wallet used in the exploit had been funded through Tornado Cash approximately 10 hours earlier—a common technique for obscuring transaction origins. The bridge was active on Ethereum mainnet and multiple Layer-2 networks, including Arbitrum, which facilitated the rapid cross-chain impact. Analysts have pointed to over-reliance on LayerZero’s default configurations and documentation as contributing factors.
Kelp DAO’s Swift Response
The Kelp DAO team detected the suspicious activity quickly and issued a statement:
“We identified suspicious cross-chain activity involving rsETH. While the investigation continues, we have paused rsETH contracts on mainnet and several L2 networks. We are working closely with LayerZero, Unichain, our auditors, and leading security experts on a root cause analysis.”
By immediately pausing the rsETH contracts, the protocol prevented potential follow-up drains estimated at an additional $100 million or more. However, the liquidity loss severely impacted rsETH’s value and left wrapped ETH assets stranded across more than 20 different chains.
Domino Effect Across DeFi and Liquidity Crisis
The hack triggered a widespread “bank run” across the DeFi ecosystem. Major lending platforms such as Aave activated emergency market freezes, with approximately $9 billion (about 33% of its TVL) withdrawn and around $196–236 million in bad debt created. Similar liquidity pressures hit protocols including SparkLend, Fluid, Upshift, Morpho, and others.
Overall DeFi total value locked (TVL) declined by $8–13 billion within 48 hours, with stress observed even in some Solana pools. The incident once again highlighted cross-chain bridges as one of the most vulnerable components in DeFi infrastructure. In April 2026 alone, hacks have exceeded $600 million in total losses, with the Kelp DAO event surpassing the previous record set by the Drift Protocol incident (approximately $280–286 million) just three weeks earlier.
Lazarus Group Speculation and Ongoing Investigation
Several security firms and on-chain analysts have suggested possible links to the North Korea-affiliated Lazarus Group, with LayerZero also indicating related signals. No official confirmation has been issued yet. Portions of the stolen funds have already been swapped into ETH on Ethereum and Arbitrum as the attacker attempts to obscure the trail; tracking efforts continue.
Lessons for the Industry
The Kelp DAO bridge hack underscores the significant risks inherent in liquidity restaking and omnichain bridge architectures. While LayerZero and similar solutions provide powerful interoperability, they remain susceptible to single points of failure and message forgery attacks.
Kelp DAO has committed to releasing a detailed post-mortem report once the full investigation concludes. For DeFi users and developers alike, this event serves as a stark reminder of the need to strengthen bridge security, implement robust multi-verifier systems, and enhance emergency response protocols.