KelpDAO was drained of $292 million on April 18, 2026 in the largest decentralised finance exploit of the year. The attacker targeted KelpDAO’s LayerZero cross-chain bridge, extracting 116,500 rsETH tokens representing approximately 18 percent of the total circulating supply. The attack completed in 46 minutes. Two follow-up attempts totalling approximately $100 million were blocked by circuit breakers. Aave, SparkLend, and Fluid have all frozen rsETH markets and the leading lending protocol is now carrying an estimated $177 million to $196 million in bad debt from rsETH collateral that is no longer properly backed.
Key Highlights
- KelpDAO’s LayerZero bridge was exploited for $292 million on April 18, 2026, making it the largest DeFi hack of 2026
- 116,500 rsETH tokens were drained in 46 minutes, representing 18% of total rsETH supply
- Two follow-up attack attempts totalling $100 million were blocked by automated circuit breakers
- Aave, SparkLend, and Fluid have frozen all rsETH markets pending an incident response
- Aave is carrying an estimated $177 million to $196 million in bad debt from unbacked rsETH collateral
- rsETH was deployed across 20 or more chains, all of which are now affected by the supply distortion
How the Attack Worked
KelpDAO’s rsETH is a liquid restaking token backed by ETH deposited through EigenLayer. The LayerZero bridge allowed rsETH to move cross-chain while maintaining its peg to the underlying ETH collateral. The attacker found a flaw in the bridge’s message verification logic that allowed them to mint rsETH on receiving chains without a corresponding deposit of ETH on the source chain. By executing the exploit across multiple chains simultaneously, the attacker diluted the rsETH supply before the protocol’s internal monitors triggered a halt.
The 46-minute window between the first malicious transaction and the circuit breaker activation is a number that will be studied in DeFi security post-mortems for years. The protocol’s oracle feeds did not immediately reflect the supply distortion, which allowed the attacker to use the newly minted rsETH as collateral on lending platforms before the market repriced the token. Cross-chain bridge exploits have been responsible for more than 60 percent of all DeFi losses since 2022.
Aave Faces a Nine Figure Bad Debt Problem
The contagion from KelpDAO to Aave is the most consequential second-order effect of the exploit. Borrowers had deposited rsETH as collateral on Aave V3 to borrow stablecoins and ETH. When the rsETH market froze, those positions became impossible to liquidate in the normal way. Aave’s risk teams estimate the protocol is now holding between $177 million and $196 million in debt that is backed by rsETH collateral that no longer has reliable market value.
Aave’s response has been to halt rsETH markets entirely and convene an emergency governance vote to determine how to absorb the bad debt. The options on the table include a coordinated liquidation of all rsETH positions at a discount once a floor price is established, a backstop from Aave’s Safety Module reserves, and a potential coordination with KelpDAO on a recovery plan. Aave V4 launched on Ethereum mainnet on March 30, 2026, and the protocol is now managing a crisis-level incident at the same time it is onboarding users to its new architecture. AAVE’s token fell 16 percent on the news.
The LayerZero Bridge Risk
This is the second major exploit of a LayerZero-enabled bridge in 2026. The cross-chain messaging protocol is widely used across DeFi because it enables fast, flexible asset bridging without requiring full liquidity pools on every chain. That flexibility comes with complexity, and complexity in bridge contracts has proven to be the single most reliable source of catastrophic DeFi losses. Bridge exploits have claimed hundreds of millions from the Ronin, Wormhole, and Nomad protocols in prior cycles, each followed by improved standards that have not yet proved sufficient.
The DeFi ecosystem has known for years that bridges are its most dangerous infrastructure. Each attack led to new security auditing standards and cross-chain messaging improvements. KelpDAO’s $292 million loss suggests that the fundamental architecture of cross-chain bridges still carries risks that auditing alone cannot eliminate. DeFi losses in Q1 2026 totalled $169 million across 34 incidents, and April has now shattered the full-quarter figure in 18 days.
rsETH Stranded Across 20 Chains
One of the less-covered dimensions of this exploit is the geographic scope of the damage. KelpDAO deployed rsETH across more than 20 blockchain networks including Arbitrum, Optimism, Base, Polygon, BNB Chain, and several smaller L2 networks. On every one of those chains, rsETH holders are now holding a token whose backing has been compromised. Liquidity for rsETH on decentralised exchanges across all these networks has collapsed.
Users who did not deposit rsETH as collateral on a lending protocol are still exposed to the repricing because the token’s redeemability for underlying ETH is now uncertain pending the resolution of the exploit. KelpDAO has announced a post-exploit incident team and is working with LayerZero, security firms, and on-chain investigators to trace the attacker’s wallet movements. The broader crypto market has so far absorbed the KelpDAO shock without a major decline, suggesting that spot market sentiment and DeFi security sentiment are currently decoupled.
What Happens Next
The immediate priority for affected protocols is establishing a credible rsETH floor price so that liquidations can proceed in an orderly way. Without a market price, Aave cannot resolve its bad debt positions. KelpDAO’s treasury and any recovered funds will determine what recovery ratio rsETH holders can expect. Ethereum’s broader ecosystem continues to absorb the shock while governance teams work through their response options. The protocol has not yet published a recovery plan with specific percentages.
For the broader DeFi market, the KelpDAO exploit arrives at a moment when institutional interest in DeFi protocols is at its highest level ever. Aave V4’s launch targeting real-world credit markets was a signal of DeFi’s maturation. Each major exploit tests whether that institutional confidence is durable or whether it retreats to centralised alternatives that carry different but more familiar risks.
The TCB View
$292 million drained in 46 minutes. The number is staggering, but the mechanism is familiar: a bridge, a minting flaw, and not enough latency between attack and halt. What makes this one different is the contagion vector. Aave carrying up to $196 million in bad debt is not a KelpDAO problem contained within KelpDAO. It is a protocol interdependency problem that the DeFi ecosystem has understood in theory but keeps encountering in practice. The real question is not whether cross-chain bridges can be made more secure. They can. The question is whether the pace of security improvements is faster than the pace of capital deployed into unaudited bridge infrastructure. Based on April 2026, the answer is still no.
Free Daily Briefing
Get the Daily Briefing
Crypto, AI, and Web3 intelligence. Free, every day.
The Daily Brief by TCB
Crypto, AI & finance intelligence in 5 minutes. Every weekday morning. Free.
