The attack also caused a domino effect on Aave, leaving around $177 million in uncollectible debt and forcing key markets to freeze.
📌 Attack details
- Date: April 18, 2026
- Amount stolen: 116,500 rsETH (~$292M), equivalent to 18% of the circulating supply of rsETH.
- Method: Manipulation of LayerZero's cross-chain messaging system, which validated a false transfer as legitimate.
- Immediate impact:
- KelpDAO: rsETH bridge paralyzed, operations halted.
- Aave: $200M in loans with stolen collateral → $177M in bad debt.
- Other affected protocols: SparkLend, Fluid, Upshift (markets frozen).
🔎 Investigation and findings
- Researcher who alerted: ZachXBT, at 2:52 PM on April 18.
- Techniques used:
- Spoofing of cross-chain messages.
- Use of obfuscation tools and targeted calls to contracts.
- Consequence: Unauthorized transfer of rsETH → massive drain of reserves.
📊 Quick comparison table
| Aspect | Detail |
|---------|---------|
| Amount stolen | $292M (116,500 rsETH) |
| Affected supply | 18% of circulating rsETH |
| Exploited protocol | KelpDAO LayerZero Bridge |
| Impact on Aave | $177M in bad debt |
| Other protocols | SparkLend, Fluid, Upshift |
| Date | April 18, 2026 |
| Key researcher | ZachXBT |
⚖️ Implications for the ecosystem
- DeFi under pressure: This attack surpasses all previous exploits of 2026 in scale.
- Trust in LayerZero: The incident exposes critical vulnerabilities in cross-chain verification.
- KelpDAO and Aave users: Deposits and collateral face partial or total loss risk.
- Key lesson: Cross-chain messaging systems require stricter audits and redundancy in validation.
🚨 Immediate recommendations
- KelpDAO users: Avoid new trades until patches and external audits are published.
- Investors in Aave and affected protocols: Monitor official announcements regarding recovery and compensation.
- General: Diversify positions and limit exposure to wrapped tokens until security measures are reinforced.
