#KelpDAOBridgeHacked

The KelpDAO Bridge Hack: A Devastating Blow to DeFi Security

On April 18, 2026, the liquid restaking protocol KelpDAO suffered one of the most catastrophic security breaches in DeFi history, with attackers draining approximately 116,500 rsETH tokens worth between $292 to $294 million. This exploit now stands as the largest DeFi hack of 2026, surpassing the previous record held by Drift Protocol's $285 million loss earlier in the month.

The attack targeted KelpDAO's cross-chain bridge infrastructure, specifically the rsETH bridge pathway running from Unichain to Ethereum mainnet. The protocol relied on LayerZero's OFT standard for cross-chain token transfers, but a critical vulnerability lay in its security architecture. KelpDAO had configured its bridge with a 1-of-1 Decentralized Verifier Network setup, meaning a single verifier node was responsible for validating all inbound cross-chain messages before releasing funds. This centralized point of failure proved to be the Achilles' heel that attackers exploited.

The attack methodology was sophisticated and multi-staged. First, the perpetrators compromised at least two RPC nodes feeding data to the sole verifier, injecting malware designed to fabricate fake cross-chain messages. They then launched a DDoS attack against unaffected RPC nodes, forcing the system to failover to the compromised infrastructure. This created an echo chamber where poisoned data became the only source of truth. The compromised verifier subsequently approved forged lzReceive calls on LayerZero's EndpointV2 contract, minting and releasing 116,500 unbacked rsETH tokens directly to attacker-controlled addresses. The malware then self-destructed, erasing logs to obscure the trail.

The aftermath extended far beyond KelpDAO itself. The attackers immediately deployed the stolen rsETH as collateral across at least nine major DeFi protocols including Aave V3 and V4, Compound V3, Euler, SparkLend, Fluid, and Upshift, borrowing over $236 million in WETH. They subsequently converted approximately $178 million worth to ETH on Ethereum mainnet and $72 million on Arbitrum. The stolen rsETH now remains stranded and unbacked across more than 20 blockchain networks including Base, Arbitrum, Linea, and Blast.

This single exploit triggered a cascade of systemic consequences throughout the DeFi ecosystem. Total Value Locked across decentralized finance protocols plummeted by $13 to $14 billion within 48 hours. Aave alone experienced an exodus of $6 to $8.45 billion in deposits, with its native token declining approximately 10% in value. The incident created significant bad debt across multiple lending protocols and forced emergency responses from numerous DeFi platforms.

Response efforts began within minutes of the exploit. KelpDAO's multisig paused core rsETH contracts across mainnet and multiple Layer-2 networks at 18:21 UTC, approximately 46 minutes after the initial breach. Two subsequent drain attempts totaling roughly 40,000 rsETH each failed due to these protective measures. Aave froze rsETH markets on both V3 and V4 within hours, with SparkLend, Fluid, and Upshift following suit. Lido paused earnETH deposits, while Ethena temporarily suspended its LayerZero bridges for approximately six hours as a precautionary measure despite having no direct exposure.

The attribution debate between KelpDAO and LayerZero has become a central narrative in the incident's aftermath. KelpDAO maintains that LayerZero's default configuration settings contributed to the vulnerability, while LayerZero counters that KelpDAO implemented a custom weak setup deviating from recommended security practices. LayerZero has attributed the attack to North Korea's Lazarus Group, citing forensic evidence linking the operation to this state-sponsored hacking collective. The attackers had funded their initial wallet through Tornado Cash approximately ten hours before executing the exploit.

This incident represents more than an isolated security breach. It exposes fundamental weaknesses in how cross-chain bridges are architected and secured across the DeFi landscape. The reliance on single-point-of-failure verification mechanisms, even when labeled as decentralized, creates attack surfaces that sophisticated adversaries can exploit. The fact that unbacked tokens could be minted and immediately accepted as collateral across multiple major protocols highlights the interconnected risks present in modern DeFi composability.

For the broader cryptocurrency ecosystem, the KelpDAO hack serves as a stark reminder that bridge infrastructure remains among the most vulnerable components of decentralized finance. Despite numerous audits and security reviews, the complexity of cross-chain communication protocols continues to present opportunities for exploitation. The incident has reignited debates about the trade-offs between interoperability and security, with many in the community calling for more robust multi-signature requirements and decentralized verification mechanisms.

As investigations continue and affected protocols work to contain the damage, the KelpDAO exploit will likely influence security standards and best practices across the industry for years to come. The scale of the breach and its cascading effects demonstrate that in an increasingly interconnected DeFi ecosystem, the security of individual protocols is inextricably linked to the resilience of the infrastructure they rely upon.