292 millions de dollars. 20 chaînes. 4 protocoles gelés. Le plus grand hack DeFi de 2026 vient de frapper Kelp DAO

txhao · 2026-04-19T02:43:05.000Z

Alors que tout le monde regardait les gros titres de Hormuz ce week-end, DeFi a subi son pire exploit de 2026. Un attaquant a drainé 116,500 rsETH — environ 18% de l'offre en circulation et environ 292 millions de dollars en valeur — du pont alimenté par LayerZero de Kelp samedi, déclenchant des gels d'urgence à travers Aave, SparkLend, Fluid et Upshift. L'ether emballé est devenu bloqué sur 20 chaînes alors que l'attaque se propageait à travers l'infrastructure inter-chaînes. Décomposons ce qui s'est réellement passé, car les mécanismes comptent.

While everyone was watching the Hormuz headlines this weekend, DeFi suffered its worst exploit of 2026.
An attacker drained 116,500 rsETH — roughly 18% of circulating supply and approximately $292 million in value — from Kelp's LayerZero-powered bridge on Saturday, triggering emergency freezes across Aave, SparkLend, Fluid, and Upshift. Wrapped ether became stranded across 20 chains as the attack propagated through the cross-chain infrastructure.
Let's break down what actually happened, because the mechanics matter.
Kelp DAO is a liquid restaking protocol built on Ethereum. Users deposit ETH or liquid staking tokens, receive rsETH in return, and can use that rsETH across DeFi protocols as collateral or to earn yield. The protocol uses LayerZero — the leading cross-chain messaging infrastructure — to make rsETH usable across multiple blockchains simultaneously.
That cross-chain functionality was the attack vector. The attacker exploited a vulnerability in how Kelp's LayerZero bridge validated asset balances across chains, allowing them to mint rsETH on destination chains without a corresponding deposit on the source chain. In simple terms: they created rsETH out of nothing, then used it to drain real assets from connected protocols.
The scale of the contagion is what makes this particularly alarming. Because rsETH was integrated as collateral across multiple blue-chip DeFi protocols, the emergency response required simultaneous freezes on Aave, SparkLend, Fluid, and Upshift — preventing new borrowing against rsETH positions while teams assessed exposure. Users who had legitimate rsETH positions as collateral found themselves temporarily unable to interact with their positions during the freeze period.
Cross-chain bridge exploits have been the leading source of DeFi losses for three consecutive years. Ronin ($625M, 2022), Wormhole ($320M, 2022), Nomad ($190M, 2022). The pattern is consistent: complexity creates attack surface, and bridge complexity is the highest in DeFi.
This doesn't mean cross-chain infrastructure is unfixable. But it does mean that every time you bridge an asset or use a cross-chain protocol, you're trusting code that has historically been crypto's most vulnerable category. The security audits, the TVL, the team's reputation — none of it has consistently prevented these events.
The uncomfortable question for the industry: at what point does the composability that makes DeFi powerful become the systemic risk that makes it fragile? That question doesn't have a clean answer yet. But Kelp DAO's $292M just made it louder.
 #KelpDAO  #DeFiHack  #LayerZero  #CryptoSecurity  #rsETH 