KelpDAO, a liquid restaking protocol that reported over $1.3 billion in TVL, said an attacker exploited its LayerZero-powered Omnichain Fungible Token (OFT) bridge adapter, triggering one of the largest DeFi security incidents of 2026. Reported loss estimates currently range between $292 million and $293.7 million, and affected rsETH contracts were paused across Ethereum mainnet and multiple L2s within 46 minutes of detection.
Live Updates — April 21, 2026 (04:20 UTC)
- Aave update: @LlamaRisk has published a report on the rsETH incident, immediate actions, impact on Aave, and potential paths forward. Service providers are assessing two potential bad debt scenarios, and Aave DAO is coordinating with ecosystem participants on coverage solutions. Several indicative commitments have already been received. (Read Aave’s statement | LlamaRisk Report)
- LayerZero statement: LayerZero has now publicly responded, attributing the exploit to a sophisticated state actor (likely DPRK’s Lazarus Group / TraderTraitor). They state the attack was isolated to KelpDAO’s 1/1 DVN configuration via RPC infrastructure poisoning. They confirm zero contagion to other assets, have deprecated the affected RPC nodes, and say the LayerZero Labs DVN is live again. Going forward they will no longer support 1/1 DVN setups. (Read full statement)
- Aave status: rsETH on Ethereum mainnet remains fully backed, but WETH reserves across Ethereum, Arbitrum, Base, Mantle, and Linea remain frozen while losses are assessed.
- Liquidity relief: 1inch and Fluid launched an aWETH redemption mechanism allowing stuck suppliers to exit frozen Aave WETH positions directly into wstETH or weETH (initial $1B capacity).
- Systemic exposure: 24 of 26 rsETH omnichain pathways reportedly used the same vulnerable 1/1 DVN verifier configuration.
- Market reaction: Tron founder Justin Sun publicly offered to help negotiate with the attacker, while large ETH withdrawals linked to associated wallets were observed during the volatility.
Official Responses
KelpDAO stated:
“Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.” (Read full post)
Aave confirmed its contracts were not exploited and froze rsETH-related markets, adding:
“If the protocol accumulates bad debt from this incident, we’ll explore paths to offset the deficit.” (Read full post)
Liquidity Relief Mechanisms
1inch and Fluid have introduced an aWETH redemption mechanism that allows suppliers stuck in frozen Aave WETH pools to exit positions directly into wstETH or weETH. The facility launched with an initial capacity of up to $1 billion.
This does not unfreeze Aave markets but provides a practical short-term exit route for affected lenders.
What Happened
The attacker pre-funded a wallet via Tornado Cash roughly 10 hours before the exploit. At approximately 17:35 UTC on April 18, the attacker triggered a forged cross-chain message via lzReceive on LayerZero’s EndpointV2 by exploiting KelpDAO’s misconfigured 1/1 DVN (Decentralized Verifier Network) setup tied to the Unichain pathway.
This forged flow minted approximately 116,500 unbacked rsETH — around 18% of circulating supply at the time — before risk controls were activated. The minted tokens were then deposited as collateral into major lending venues, including Aave V3/V4, Compound V3, SparkLend, Euler, and Fluid. The attacker borrowed large volumes of WETH/ETH and extracted funds, leaving substantial bad debt exposure across more than 20 connected chains.
Critical new detail: Security researcher @officer_secret revealed that 24 out of 26 rsETH cross-chain pathways were using the exact same vulnerable 1/1 DVN configuration — meaning the exploit was not an isolated Unichain incident but a systemic configuration risk across almost the entire omnichain deployment. (Read the full analysis)
KelpDAO’s official statement confirmed the incident: “Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.” (Read full post)
The root cause was isolated to the bridge adapter configuration; core EigenLayer restaking contracts and primary deposit pools were not compromised.
Immediate Protocol Response
KelpDAO activated emergency pauses on rsETH contracts across supported networks and blocked two follow-up attempts. At publication time, the most current updates remain KelpDAO’s live incident communications, with a full audited root-cause analysis (RCA) and post-mortem still pending.
Aave’s official response stated: “The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave’s contracts have not been exploited and this is an exploit related to rsETH. … If the protocol accumulates bad debt from this incident, we’ll explore paths to offset the deficit.” (Read full post)
Aave’s Guardian initiated freezes on rsETH and wrsETH markets starting at 18:52 UTC.
Comparison to Other Major 2026 Exploits
| Rank | Protocol | Date | Chain | Amount Lost | Attack Vector | Key Impact | Recovery Status |
|---|---|---|---|---|---|---|---|
| 1 | KelpDAO (rsETH) | Apr 18 | Ethereum + L2s | $293.7M | LayerZero OFT bridge (1/1 DVN config) | Bad debt in Aave + 20 lending protocols; WETH liquidity stranded | Paused; RCA ongoing |
| 2 | Drift Protocol | Apr 1 | Solana | $285M | Governance/admin-key compromise (social engineering) | >50% of Solana’s largest perp DEX TVL drained | Partial bridge to ETH |
| 3–10 | Various (Step, Truebit, etc.) | Jan–Mar | Various | $13M–$30M each | Private-key leaks, legacy contract bugs | Isolated; minimal contagion | Mostly unrecovered |
Kelp’s exploit stands out for its systemic contagion rather than isolated damage: fake LRT collateral immediately infected lending markets, unlike Drift’s contained Solana-native hit. By contrast, Drift Protocol — the previous largest exploit of 2026 — announced a Tether-led recovery plan on April 16 involving up to $150 million in recapitalization and a shift to USDT settlement (see our related coverage).
Market Status Snapshot
Market Status Snapshot
- rsETH contracts: Paused across affected supported chains
- Redemptions and withdrawals: Temporarily unavailable while bridge pathways remain paused
- Lending integrations: Risk controls and freezes active in major rsETH markets (Aave, Compound, SparkLend, etc.)
- Bad debt accounting: Preliminary estimates in circulation; final protocol-by-protocol reconciliation pending
- AAVE token price impact: Dropped approximately 15–20% in the 48 hours following the exploit (from ~$112–115 to lows near $90), driven by liquidity stress, frozen WETH/rsETH markets, and uncertainty around bad debt socialization. The sell-off reflected perceived systemic risk rather than a direct compromise of Aave’s contracts.
Contagion Across DeFi Markets
The event quickly became a system-level lending incident rather than a single-protocol loss. Multiple venues froze or restricted rsETH-related markets while assessing collateral quality and bad debt impact. Aave’s rsETH markets were frozen on V3 and V4, with public discussion focusing on potential socialization of residual losses through the protocol’s Safety Module / Umbrella mechanism. Protocol-by-protocol bad debt totals for Aave, SparkLend, Compound, Euler, and Fluid were still being finalized at the time of publication.
Why This Matters
rsETH is KelpDAO’s flagship Liquid Restaked ETH (LRT) — a tokenized version of ETH that is staked natively on Ethereum and restaked on EigenLayer for combined staking + AVS yields. Users receive liquid, tradable rsETH while still earning rewards.
This incident is an early 2026 stress test for liquid restaked tokens used as cross-chain collateral. The “1/1 everywhere” revelation (24 out of 26 rsETH pathways using the same vulnerable single-DVN setup) shows that messaging and bridge configuration risk can transmit faster than core contract risk in composable lending environments. In practice, “liquid” collateral can become temporarily illiquid when bridge pathways are paused, redemptions are interrupted, or market-wide risk controls freeze borrowing routes.
What to Watch Next
KelpDAO had not yet published a full root-cause analysis or compensation framework at the time of this draft. Near-term market impact will depend on:
- Final RCA and remediation details
- Any rsETH migration or recapitalization plan
- Updated protocol-level bad debt disclosures
- Reopening conditions for paused markets and redemptions
Developing Story — April 20, 2026 (02:10 UTC): No official post-mortem, compensation framework, or full root-cause analysis has been released yet by KelpDAO or LayerZero. Aave continues assessing bad debt while frozen WETH positions remain unresolved across multiple chains.
DeFiHub will update this article immediately as new information emerges on losses, governance decisions, recovery plans, and market reopenings.
Watch this space. If you have questions, additional on-chain findings, or feedback, please reply directly from this link to our X post for this article.