Kelp DAO just turned a protocol exploit into a full-blown DeFi stress event.
On April 18, 2026, attackers drained roughly $290M–$293M tied to rsETH, making it one of the biggest DeFi exploits of the year. Kelp flagged “suspicious cross-chain activity,” paused rsETH contracts across Ethereum mainnet and several L2s, and the blast radius quickly spread across lending markets.
What makes this hit harder is the mechanism. LayerZero says the protocol itself was not exploited; instead, the attacker allegedly poisoned downstream RPC infrastructure used by LayerZero Labs’ DVN, and Kelp’s 1-of-1 DVN setup left rsETH exposed as a single point of failure. LayerZero says it had recommended a multi-DVN configuration, while Kelp has publicly pushed back on where responsibility sits. 
The real damage was not just the theft. Aave said its own contracts were not exploited, but it still froze affected markets because of the rsETH bridge incident. Reports since then say the event triggered heavy withdrawals, bad debt concerns, and a sharp drop in DeFi confidence far beyond Kelp itself. 
This is why the story feels bigger than a hack headline: the code did not need to break for trust to break. In DeFi, one weak cross-chain assumption can turn yield into panic in a matter of hours.