KelpDAO has suffered a devastating exploit, with hackers draining nearly $293 million in rsETH tokens through a cross-chain bridge vulnerability, marking the largest DeFi hack of 2026 so far. The incident has triggered widespread panic across decentralized finance platforms, freezing markets and raising urgent questions about cross-chain security.
🔎 What Happened
- Date of Attack: April 18–19, 2026
- Amount Stolen: ~116,500 rsETH, valued at $292–293 million
- Exploit Method: Attackers manipulated LayerZero’s cross-chain messaging system, tricking it into validating fraudulent transactions.
- Speed of Attack: The funds were drained in under 46 minutes, with most converted into ETH and laundered through Tornado Cash.
🌐 Impact on DeFi Ecosystem
- Largest DeFi Hack of 2026: Surpassing the Drift Protocol exploit earlier this month.
- Contagion Effect: Lending platforms like Aave, SparkLend, and Fluid froze rsETH markets to prevent systemic collapse.
- Collateral Damage: rsETH was widely used as collateral and liquidity across multiple protocols, amplifying the risk.
🕵️ Possible Attackers
- Suspected Group: Post-incident analysis suggests involvement of North Korea’s Lazarus Group, known for sophisticated crypto heists.
- Technique: Attackers poisoned RPC nodes in LayerZero’s DVN system, forcing failover to malicious nodes and enabling fake cross-chain messages.
- Root Cause: KelpDAO’s 1/1 DVN setup lacked redundancy, leaving it vulnerable to spoofing.
⚠️ Risks & Lessons
- Cross-Chain Bridges: Once again highlighted as the weakest link in DeFi security, with billions lost in similar exploits over the past years.
- Systemic Risk: The hack demonstrates how one protocol’s vulnerability can ripple across the entire ecosystem.
- Need for Redundancy: Experts stress that multi-verifier setups and stronger failover mechanisms are essential to prevent similar attacks