Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
Promotions
AI
Gate AI
Your all-in-one conversational AI partner
Gate AI Bot
Use Gate AI directly in your social App
GateClaw
Gate Blue Lobster, ready to go
Gate for AI Agent
AI infrastructure, Gate MCP, Skills, and CLI
Gate Skills Hub
10K+ Skills
From office tasks to trading, the all-in-one skill hub makes AI even more useful.
GateRouter
Smartly choose from 30+ AI models, with 0% extra fees
This incident has become a major wake-up call for the DeFi industry, where the exploit targeting KelpDAO’s rsETH token resulted in approximately $293.7 million in losses and exposed critical weaknesses in cross-chain infrastructure. It was not just a protocol-level breach, but a broader failure in the underlying systems that support modern DeFi, particularly bridges and verification mechanisms.
On April 18, 2026, attackers took advantage of a key vulnerability in a LayerZero-powered bridge. The issue stemmed from a flawed DVN configuration using a 1-of-1 verification setup, effectively creating a single point of failure. This allowed malicious actors to inject forged verification data and execute unauthorized cross-chain transactions, draining a significant amount of rsETH.
The impact quickly spread beyond the initial exploit. The stolen assets were actively deployed into lending protocols, where they were used as collateral to borrow large amounts of funds. Because this collateral was not backed by real ETH, it introduced structural instability and created positions that could not be liquidated, resulting in long-term bad debt across DeFi markets.
Estimates suggest that the bad debt exposure could range between $123 million and $230 million, with potential losses exceeding 15 percent in certain markets. Layer 2 ecosystems were particularly affected, and further downside risk remains if market conditions deteriorate.
This event highlights that cross-chain bridges are no longer just infrastructure components, but critical points of systemic risk. While individual DeFi protocols may function correctly on their own, their interconnected nature can amplify failures across the entire ecosystem. Notably, this exploit bypassed smart contracts and instead targeted infrastructure layers such as RPC nodes and verification systems.
The industry response has been swift, including emergency freezes, partial recovery of funds, and coordinated recovery initiatives. Collaboration among major stakeholders indicates a growing recognition that these risks are shared across the ecosystem.
Market effects included increased volatility, liquidity stress in lending pools, and depegging pressure on rsETH. Stablecoin lending markets also experienced heightened strain as a result.
Ultimately, this exploit marks a turning point for DeFi security. It shows that risk is no longer isolated within individual protocols, and that infrastructure-level security must now be treated as a core priority. While recovery efforts may stabilize conditions in the short term, the structural vulnerabilities exposed by this event will likely shape the future direction of decentralized finance.
🚨 The rsETH Exploit: A $293M Wake-Up Call for Cross-Chain DeFi Infrastructure
The recent exploit targeting KelpDAO’s liquid restaking token rsETH has emerged as one of the most significant DeFi security failures of 2026, resulting in approximately $293.7 million in losses and exposing deep structural risks across cross-chain finance.
This incident is not just a protocol-level hack — it represents a systemic breakdown in cross-chain infrastructure security, particularly within bridge and verification mechanisms that underpin modern DeFi ecosystems.
🔍 Incident Overview
On April 18, 2026, attackers exploited a critical vulnerability in KelpDAO’s LayerZero-powered bridge system, draining around 116,500 rsETH (~$293M).
The attack leveraged a weakness in Decentralized Verifier Network (DVN) configuration, specifically a 1-of-1 verification setup, which created a single point of failure in cross-chain message validation.
This design flaw allowed attackers to forge verification data and execute unauthorized cross-chain transfers, ultimately draining a significant portion of circulating rsETH supply.
⚙️ How the Exploit Worked
The attack followed a carefully structured sequence:
Funding via privacy channels (Tornado Cash)
Exploitation of LayerZero’s EndpointV2 lzReceive function
Forged DVN verification data injection
Cross-chain extraction of rsETH across multiple networks
Once extracted, the stolen assets were not idle. Instead, they were actively deployed across lending markets such as Aave, creating a cascading liquidity and collateral crisis.
💥 Contagion Across DeFi Markets
The exploit rapidly expanded beyond KelpDAO:
~89,567 rsETH deposited into lending protocols
~$190M in WETH borrowed against unbacked collateral
Positions distributed across Ethereum and L2 ecosystems
Because the collateral was not backed by real ETH, these positions became structurally unliquidatable, introducing permanent bad debt into DeFi lending pools.
📉 Aave’s Bad Debt Exposure
Internal assessments from protocol analysts estimate:
$123M–$230M potential bad debt
Up to 15%+ haircut scenarios across rsETH markets
Concentrated losses in L2 ecosystems such as Arbitrum, Base, and Mantle
In worst-case simulations, additional market stress could trigger another $100M+ exposure if ETH prices decline further.
This event has already forced emergency freezes and governance discussions across major DeFi protocols.
🧠 Core Structural Failures Identified
1. Bridge ≠ Just Infrastructure
Cross-chain bridges are now proven to be core asset risk vectors, not peripheral systems.
2. Composability Risk
DeFi protocols functioned correctly individually — but system-wide interaction failure caused collapse propagation.
3. Infrastructure Blind Spots
The exploit bypassed smart contracts entirely and targeted:
RPC nodes
DVN verification layers
Cross-chain messaging infrastructure
⚖️ Industry Response & Recovery Efforts
The DeFi ecosystem has responded rapidly:
Emergency market freezes across lending protocols
Partial recovery of stolen assets (~40K rsETH)
Multi-party recovery pledges totaling ~38,500 ETH
Governance-driven recovery proposals underway
Key contributors include major DeFi stakeholders and infrastructure providers, signaling unprecedented collaboration.
⚠️ Market Impact
The exploit triggered:
Sharp price volatility in DeFi tokens
Temporary liquidity crunch across lending pools
rsETH depeg pressure across multiple chains
Elevated stress across stablecoin lending markets
🧭 What This Means for DeFi
This incident highlights a fundamental shift in risk understanding:
DeFi security is no longer just about smart contract audits — it now includes:
Cross-chain bridge design
Verification network integrity
Infrastructure dependency mapping
Default configuration risk
As one analyst noted:
“Most protocols are completely exposed at the infrastructure layer.”
🔮 Final Takeaway
The rsETH exploit is not simply a $293M loss — it is a stress test of DeFi’s interconnected architecture.
It demonstrates that:
Risk is no longer isolated per protocol
Cross-chain design increases systemic exposure
Infrastructure security is now mission-critical
The recovery process may stabilize markets temporarily, but the structural questions raised by this exploit will shape the next era of DeFi development.
⚠️ Risk Warning
Cryptocurrency and DeFi investments involve high risk and extreme volatility. Past performance does not guarantee future results. Always conduct independent research and apply strict risk management.
Dragon Fly Official