Bridges under fire
- Bridge-based attacks and vault exploits surged across DeFi, exposing dependencies between messaging layers and wrapped assets. - Kelp DAO suffered a $292 million exploit, and April is shaping up as the worst month for hacks since 2025. - The wave of large breaches and rising monthly losses is intensifying scrutiny on cross-chain plumbing and trust assumptions. (coindesk.com) (crypto.news)
Crypto’s biggest DeFi theft of 2026 hit a bridge, not a trading bug: Kelp DAO lost about $292 million on April 18. (coindesk.com) A bridge is the software that lets tokens move between blockchains, like a courier carrying receipts from one network to another. In Kelp’s case, an attacker drained 116,500 rsETH at 17:35 UTC by abusing its LayerZero-based cross-chain setup. (coindesk.com) LayerZero said Kelp had configured rsETH with a single Decentralized Verifier Network, or DVN, meaning one verifier was enough to approve a message. LayerZero said that 1-of-1 setup created a single point of failure and that a multi-verifier configuration would have blocked the forged message. (layerzero.network) That matters because bridges sit underneath other DeFi products the way plumbing sits behind walls. When a wrapped token like rsETH loses backing on one chain, lending markets and vaults that accepted it as collateral can seize up too. (coindesk.com) The spillover was immediate. Aave froze rsETH markets after the drain, and Kelp’s emergency pauser multisig halted core contracts about 46 minutes after the first successful transaction, blocking two follow-up attempts. (theblock.co) April’s losses have now topped $606 million across 12 incidents in the first 18 days of the month, according to DefiLlama data cited by crypto.news. That makes April 2026 the worst month for crypto hacks since the $1.4 billion Bybit breach in February 2025. (crypto.news) The concentration is striking: DefiLlama’s hacks database lists Kelp at $293 million, classified as an infrastructure exploit using a LayerZero OFT bridge exploit. The same database puts total bridge losses over time at about $2.9 billion. (defillama.com) LayerZero said the attack was isolated to Kelp’s rsETH configuration and said there was “zero contagion” to other LayerZero assets or applications. Other analysts have focused less on the messaging layer and more on how quickly one broken bridge position spread risk into lending markets that never held the original exploit path. (layerzero.network) (coindesk.com) Arbitrum’s Security Council later froze 30,766 ETH tied to the exploit, worth about $71 million at the time, by moving it to an intermediary wallet that requires further governance action. The freeze did not reverse the breach, but it showed how much of DeFi’s crisis response still depends on emergency controls after supposedly trust-minimized systems fail. (coindesk.com)
