I Had Skin in This Game. So Did You (Maybe).
Let me be upfront.
I invested in the KelpDAO pre-sale. My tokens are still partly vested. And as of this weekend, I’m pretty confident that investment is worth close to zero now.
When the attack first started showing up on-chain, we were already sharing retweets trying to get the word out. If you had exposure in Kelp or Aave, I genuinely hope you had time to act.
I personally had some funds sitting in Aave. Nothing crazy. But the moment I saw what was happening, I withdrew. Fast.
This one hit different.
So What Actually Happened?
On April 18, 2026, a hacker stole approximately $292 million from a DeFi protocol called KelpDAO.
It is now the largest DeFi hack of 2026.
And the wild part? They did it in about 46 minutes.
No brute force. No broken encryption. Just a deeply clever attack on a weak point that nobody fixed — even though they were warned about it.
Let’s break it down from the beginning.
What Is KelpDAO? (Quick Explainer)
If you’re new to this, here’s the short version.
Ethereum staking is when you lock up ETH to help secure the network. In return, you earn yield.
KelpDAO takes that a step further. You deposit your staked ETH into KelpDAO, which routes it through a system called EigenLayer to earn even more yield. In return, you receive a token called rsETH — a receipt proving you have ETH locked up.
Think of rsETH like a claim ticket. Hand it in, get your ETH back.
That rsETH lives on over 20 different blockchain networks — Ethereum, Base, Arbitrum, and more. To move it between chains, KelpDAO used a bridge powered by LayerZero, a popular cross-chain messaging protocol.
That bridge is where everything went wrong.
How Bridges Work (In Plain English)
Imagine you have a $100 bill in the US. You want to use it in Japan.
A bridge is like a currency exchange booth. You hand in your $100, it gets locked in a vault, and the booth issues you ¥14,000 on the other side.
Blockchain bridges work the same way. Lock your token on one chain, release an equivalent token on another.
But here’s the key thing: the bridge has to verify the lock actually happened.
That verification is the job of something LayerZero calls a DVN — a Decentralized Verifier Network. Think of DVNs as security guards checking IDs before releasing funds.
KelpDAO only had one security guard.
The Attack: Step by Step
Here’s exactly how the hack unfolded.
Step 1: Pick the target.
The attackers — later linked to North Korea’s Lazarus Group — identified that KelpDAO’s bridge used a single DVN. One verifier. One point of failure.
Step 2: Poison the guard.
LayerZero’s DVN relied on a set of RPC nodes — servers that read and write blockchain data. The attackers compromised two of those nodes and replaced their software with malicious versions.
These poisoned nodes would report fake transaction data to LayerZero’s verifier. But they kept reporting accurate data to everything else — so no alarms went off.
Step 3: Kill the backup nodes.
Two poisoned nodes alone weren’t enough. So the attackers launched a DDoS attack — flooding the healthy nodes with traffic until they went offline.
With the clean nodes down, LayerZero’s verifier had no choice but to rely on the poisoned ones.
Step 4: Send a fake transaction.
At 17:35 UTC, the attacker sent a crafted message to KelpDAO’s bridge. The message said: “A valid cross-chain transaction occurred. Release 116,500 rsETH.”
The verifier, now running on poisoned data, approved it.
No real ETH ever moved. The rsETH was minted out of thin air.
Step 5: Use it as collateral.
The attacker didn’t try to sell $292 million in rsETH. That would crash the price immediately.
Instead, they deposited it into Aave V3 and V4 as collateral — and borrowed real wrapped ETH (WETH) against it.
Real money. Out the door. Backed by nothing.
Why Did KelpDAO Have Only One Verifier?
This is the question everyone is asking.
LayerZero had repeatedly recommended that integrators use multiple DVNs. The idea is simple: if you need 3 out of 5 verifiers to agree before releasing funds, compromising one node does nothing.
KelpDAO chose a 1-of-1 setup. One verifier. If it approves, the bridge approves. No backup. No check.
LayerZero confirmed they warned Kelp directly. Kelp did not update the configuration.
After the exploit, LayerZero announced they will no longer sign messages for any project running a 1-of-1 setup. That door is closed now.
9 Million stolen through a fake ledger app in the Apple app store.
The Aave Contagion
Here’s where it gets worse.
After borrowing WETH against fake rsETH, Aave was left holding bad debt.
Real WETH depositors — people like me — saw their funds become unreachable. Aave’s WETH pool hit 100% utilization. That means every single dollar of WETH in that pool was borrowed. No one could withdraw.
The borrow positions couldn’t be liquidated either. The collateral (rsETH) had lost its real backing, so liquidating it would generate no value.
Aave froze its rsETH markets immediately. So did SparkLend and Fluid.
Then the panic withdrawals started. Aave’s total value locked dropped by over $6 billion in roughly 24 hours — from $26.4B down to near $20B.
The AAVE token dropped 18%.
And Aave’s insurance fund? It holds about $50 million. The bad debt is roughly $196 million.
There’s a $146 million gap. Governance will have to figure that out.
Who Did This?
LayerZero published a detailed incident report pointing to North Korea’s Lazarus Group — specifically a subunit called TraderTraitor.
This isn’t their first rodeo in 2026 either.
Earlier on April 1, the same group drained $285 million from Drift Protocol on Solana — using a completely different method (social engineering). Then $292 million from Kelp on April 18.
That’s over $575 million stolen in 18 days by the same crew.
They adapt fast. DeFi is not adapting fast enough.
What Happened to rsETH on Other Chains?
This part often gets missed in the coverage.
rsETH exists on 20+ chains. The reserves backing those tokens were held in that same bridge that got drained.
So holders on Base, Arbitrum, Linea, Blast, and other L2s are now sitting on tokens with uncertain backing.
If everyone tries to redeem their rsETH for real ETH on Ethereum at the same time, there isn’t enough to go around. It’s a bank run scenario.
KelpDAO paused rsETH contracts across mainnet and multiple L2s. They’re working with auditors and security teams. But the question of how much of the stolen funds can be recovered — if any — remains unanswered.
The Bigger Picture
This isn’t just a KelpDAO problem.
2026 has been brutal for DeFi. A string of major exploits including CoW Swap, Zerion, Silo Finance, and Resolv Labs — and now this.
Cumulative losses across DeFi in 2026 are approaching $700 million.
The Kelp hack exposed something structural. rsETH was accepted as collateral on Aave, SparkLend, and Fluid — all based on its assumed 1:1 backing with ETH. The risk models never priced in “what if the bridge gets drained on a Saturday?”
That’s the systemic risk nobody modeled.
Cross-chain is powerful. But every bridge is a potential single point of failure. And when a nation-state with billions in stolen crypto funds is hunting for that failure — one misconfigured verifier is all they need.
Support Our Work
If you found this helpful, consider signing up on OKX or Bybit using our referral links. Your support keeps this content free and flowing.
Key Takeaways (If You’re Building or Investing in DeFi)
For protocols: Use multiple independent verifiers. Always. Not optional.
For users: Understand what backs the collateral in lending protocols. If it’s a bridged token, know which bridge.
For everyone: Speed of withdrawal matters. Panic is contagious in DeFi. If something breaks, the first movers get made whole. The last movers eat the loss.
Final Thoughts
I lost money in this. The KelpDAO pre-sale investment is almost certainly gone.
But more than the money, this shook confidence. Aave is supposed to be the backbone of DeFi. When Aave has contagion risk, everything downstream does too.
The exploit didn’t break any smart contracts. It didn’t require a single line of malicious on-chain code.
It just needed one misconfigured bridge and one poisoned server.
That’s the part that should keep builders up at night.
Stay safe out there. And if you had exposure — I genuinely hope you got out in time.
If you enjoyed this blog, you may want to check our other crypto news updates.
As always, don’t forget to claim your bonus below on OKX. See you next time!
Written April 20, 2026. All figures sourced from on-chain data and official incident reports at time of publication.
Credit: Source link
