The KelpDAO Exploit Aftermath: $290M+ Drained in Major DeFi Security Incident
The DeFi sector is reeling from the largest exploit of 2026 so far, where Kelp DAO’s rsETH bridge was drained of roughly 116,500 rsETH (approx. $290M–$293M) on April 18–19, 2026.
Post-Exploit Updates & Key Takeaways:
Root Cause: The exploit was not a direct smart contract bug but a misconfiguration in KelpDAO's LayerZero cross-chain message verification (a "single-DVN" setup), allowing the attacker to mint unbacked tokens.
Contagion Impact: Stolen assets were used to drain liquidity across major platforms, creating nearly $236M in debt positions on Aave, which was forced to freeze rsETH markets.
Partial Recovery: Arbitrum’s Security Council and other partners have taken action, with $71 million in ETH already frozen in a collaborative recovery effort.
Attacker Identification: LayerZero has preliminarily linked the exploit to the North Korean-backed Lazarus Group
Mantle Network Confirms Security
Mantle Network has announced its official bridge, underlying network, and core assets remain fully secure. LayerZero confirmed the vulnerability was isolated to KelpDAO’s configuration, not Mantle's infrastructure. Mantle is in active communication with Aave to support recovery efforts, with $204 million in core USD liquidity already returning to its ecosystem.
Trust in DeFi & Security Lessons
This incident marks the second ~ $280M+ exploit in April, highlighting critical systemic risks in bridge technology. The event forces a reevaluation of:
Cross-Chain Risks: The reliance on external, third-party messaging providers.
Collateral Standards: Protocols must demand higher security standards for accepted collateral.
While this event shakes user confidence, the fast-acting, coordinated response from protocols and network security councils to isolate affected assets demonstrates resilience in DeFi's maturing security practices.
#KelpDAO #MantleNetwork #CryptoSecurity #LayerZero #DeFiSecurity