KelpDAO and Volo Lost a Combined $295 Million This Week. The Reasons Are Completely Different.

KelpDAO lost $292 million on April 19 because its LayerZero bridge used a single verification node instead of multiple ones. Volo Protocol lost $3.5 million on April 21 because someone got access to the admin private key that controlled three of its vaults. Two hacks in three days. Completely different failure modes. The only thing they share is that both were avoidable with decisions that would have cost almost nothing to make differently.

Key Highlights

• KelpDAO was drained of $292 million on April 19 via a LayerZero bridge exploit. The attacker used RPC spoofing and a DDoS attack to manipulate the bridge’s single decentralized verifier node into confirming fraudulent cross chain transactions
• Volo Protocol lost $3.5 million on April 21 on the Sui blockchain after a compromised admin private key gave an attacker effective ownership over three vaults holding WBTC, XAUm, and USDC
• Volo recovered approximately $2 million of the stolen funds and pledged to cover the remaining $1.5 million from treasury, making users whole
• KelpDAO’s rsETH remains stranded across 20 chains. Aave, SparkLend, and Fluid froze markets as the asset’s backing became uncertain
• DeFi TVL fell from $99 billion to $85 billion in 48 hours after the KelpDAO exploit, the lowest level in a year
• LayerZero attributed the KelpDAO attack to Lazarus Group. The Volo hack appears unrelated to any state-sponsored actor. Compromised admin key, not nation-state infrastructure targeting.

KelpDAO: what a single DVN configuration actually costs

LayerZero’s bridge technology uses decentralized verifier networks to confirm that a transaction on one chain actually occurred before the bridge acts on it on another chain. LayerZero’s own documentation recommends using multiple verifier instances specifically because a single instance creates a single point of failure. If that one node can be compromised, the verification layer collapses.

KelpDAO ran a one of one configuration. One verifier node. Lazarus Group, attributed by LayerZero based on preliminary forensics, identified those specific RPC nodes. They replaced the software on two of them with malicious versions. The malicious nodes confirmed transactions that had never occurred, while returning accurate data to every other system querying from different IP addresses. Selectively blind. Precisely targeted.

The attacker minted 116,500 rsETH with no actual collateral behind them. Those tokens spread across 20 chains as collateral in DeFi lending protocols. By the time Kelp’s team understood what had happened, the attacker had deposited nearly 90,000 rsETH into Aave as collateral and borrowed approximately $190 million in ETH and other assets across Ethereum and Arbitrum. Combined with the earlier Drift Protocol exploit on April 1, Lazarus Group has now taken $577 million from DeFi in 18 days. Both attacks are attributed to the same unit. Two different methods.

Volo: a completely different problem

Volo Protocol’s exploit on the Sui blockchain had nothing to do with bridge verification or smart contract logic. GoPlus Security and ExVul both confirmed that Volo’s audited contracts were not the issue. The problem was an admin private key. Whoever held that key had the ability to act as the vault owner, which in this case meant transferring vault contents at will.

The attacker got that key. Three vaults holding WBTC, XAUm, and USDC were drained. Total: $3.5 million. The Volo team froze remaining vaults, coordinated with the Sui Foundation, and moved to block a WBTC bridge transfer that would have made recovery harder. About $2 million has been recovered. Volo pledged to cover the remaining $1.5 million from its treasury. Users will be made whole. The team kept the protocol alive by absorbing the loss themselves.

The contrast with KelpDAO is instructive. Volo’s response was faster, the damage was contained, and the path to user reimbursement was clear within 48 hours. That is partly a scale difference: $3.5 million is a crisis any reasonably funded protocol can absorb. $292 million is not. But it also reflects an operational response difference. The broader April DeFi security picture consistently shows that protocols with rehearsed incident response contain damage better than those building the response in real time.

Two separate failure modes, one shared root cause

KelpDAO failed because a bridge configuration decision was wrong in a way that a publicly available LayerZero security recommendation would have prevented. The multi-DVN recommendation is in LayerZero’s documentation. It was there before the attack. Volo failed because an admin private key had insufficient access controls. A hardware security module, a multisig requirement, or a time-locked revocation could have stopped the attack at the key compromise stage.

Neither of these required novel security research to prevent. Both required applying standards that already existed and were publicly documented. That is the uncomfortable truth about April 2026. The protocols getting exploited are not losing to sophisticated zero-day vulnerabilities. They are losing to configuration decisions that auditors have flagged, documentation has warned against, and the industry has discussed publicly for years.

What the Aave response tells you

Aave froze markets within hours of KelpDAO becoming public. So did SparkLend and Fluid. The protocols acted on rsETH’s uncertain backing before the full picture was clear, which is the right call. That response speed is a meaningful improvement from how DeFi handled contagion risk in 2022, where freeze mechanisms often failed or arrived too late.

Better incident response is not the same as being secure. Institutional capital flowing into Bitcoin ETFs rather than DeFi yield strategies is partly a response to exactly this pattern. The ecosystem absorbed the hit faster than it would have two years ago. It still absorbed $292 million.

The TCB View

The KelpDAO and Volo exploits are not evidence that DeFi is unfixable. They are evidence that DeFi teams are not applying fixes that already exist. Multi-DVN bridge configurations and hardware-protected admin keys are not cutting-edge security research. They are documented standards that teams chose not to implement. Until protocol treasuries, insurance, and governance start treating security implementation as a hard requirement rather than a best practice, the pattern holds. Every major DeFi hack in April 2026 was preventable. That sentence being true is more damning than any dollar figure attached to it.