KelpDAO exploit $292M loss

KelpDAO’s April 18 exploit has become one of the largest DeFi losses of 2026, with LayerZero putting the loss at about $290 million and later reports citing roughly $292 million. The breach centered on KelpDAO’s rsETH bridge, a LayerZero-powered system used to move the liquid restaking token across chains. LayerZero said the incident was isolated to KelpDAO’s rsETH configuration and stemmed from the protocol’s use of a single-DVN setup. The exploit then spread beyond KelpDAO itself as unbacked rsETH moved into lending markets and triggered wider withdrawals across DeFi. ### How did the KelpDAO exploit happen? LayerZero said on April 19 that KelpDAO’s rsETH configuration used a “single-DVN setup,” meaning message verification depended on one path rather than multiple independent checks. In its incident statement, LayerZero said that setup created the direct condition that allowed the exploit. KelpDAO’s bridge was used to move rsETH across more than 20 chains, according to NFT Plazas, and the exploit involved a forged cross-chain message that released about 116,500 rsETH without matching assets being locked on the source chain. NFT Plazas said that amount was worth about $292 million at the time and represented roughly 18% of circulating rsETH. (layerzero.network) ### Why did a bridge bug hit the rest of DeFi? Aave became a central part of the fallout because the attacker used the unbacked rsETH as collateral on Aave markets, according to CCN. CCN reported that the attacker borrowed against those tokens and that the incident set off a broader liquidity shock as users pulled funds from lending venues. (nftplazas.com) CCN said on May 19 that Aave’s total value locked had fallen 45% to $14.56 billion in the month after the exploit, while weekly active users dropped 56% and fees and revenue also declined. In an earlier report, CCN said Aave’s TVL fell 35% in two days immediately after the April 18 breach. ### What does “1-of-1 verifier” mean in this case? LayerZero’s description points to a basic concentration problem: KelpDAO configured verification so one compromised or bypassed path could approve a message. (ccn.com) LayerZero said the incident was a direct consequence of that single-DVN design, not of a broader failure across all LayerZero deployments. NFT Plazas described the same issue as a “single-point-of-failure” in KelpDAO’s bridge configuration. (ccn.com) That matters because bridges are supposed to confirm that tokens were actually locked or burned before releasing assets on another chain; in this case, reports said the validation logic accepted a forged message instead. ### How much of the stolen money has been contained? (layerzero.network) Arbitrum’s Security Council froze about 30,766 ETH, worth roughly $100 million, that was tied to the KelpDAO exploit, according to CCN. CCN said the assets were moved to a secure wallet and now await a full Arbitrum DAO governance vote on next steps. LayerZero said preliminary indicators suggested attribution to a “highly-sophisticated state actor,” likely North Korea’s Lazarus Group, specifically TraderTraitor. (nftplazas.com) That attribution remains preliminary in the company’s statement. ### Where does this leave KelpDAO and the wider market? CCN’s running tally of major DeFi exploits said KelpDAO’s April 18 loss was the largest listed DeFi hack of 2026 so far at $292 million, ahead of several other nine-figure incidents. (ccn.com) The same roundup showed cumulative 2026 DeFi losses running well above the figure cited in social posts about losses topping $750 million. (layerzero.network) The next concrete milestone is on Arbitrum, where the DAO still has to vote on the frozen ETH tied to the exploit, according to CCN. KelpDAO’s own public-facing site remained available on May 20, but I did not find a primary-source post in the search results confirming the timing or scope of any partial reopening, so that part of the story remains less clearly documented in the sources reviewed. (kelpdao.xyz) (ccn.com)