#KelpDAOBridgeHacked

KelpDAO Bridge Exploit - April 18, 2026: What Happened and Current Status

On April 18, 2026, KelpDAO, a liquid restaking protocol, suffered one of the largest DeFi exploits of the year when its cross-chain bridge was compromised. The attacker managed to drain approximately 116,500 rsETH tokens, valued at roughly $292 million at the time of the incident. This marks the biggest crypto hack of 2026 so far, surpassing the Drift Protocol exploit that occurred earlier in April.

How the Exploit Occurred

The attack exploited a critical vulnerability in KelpDAO's LayerZero-powered bridge infrastructure. The attacker sent a forged cross-chain message to KelpDAO's OFT Adapter on Ethereum mainnet, falsely claiming to originate from Unichain. The root cause was a severe misconfiguration in the bridge's security setup. KelpDAO had implemented a 1-of-1 DVN (Decentralized Verifier Network) configuration, relying on a single LayerZero Labs verifier without any redundancy or optional secondary verifiers. This minimal security approach allowed the fake message to pass validation unchallenged, triggering the bridge vault to release unbacked rsETH tokens to the attacker's wallet.

It is important to note that this was not a bug in the LayerZero protocol itself. LayerZero V2 is designed to be modular, allowing projects to choose their own verifier stack. KelpDAO opted for the most minimal security configuration possible, which proved catastrophic.

The Attackers DeFi Play

Once the attacker obtained the unbacked rsETH, they immediately deployed it as collateral across multiple DeFi protocols to extract maximum value. On Aave V3 and V4 markets across Ethereum mainnet and Arbitrum, the attacker borrowed approximately 52,834 WETH on Ethereum and 29,782 WETH plus 821 wstETH on Arbitrum. Additional borrowing activity was observed on Compound and Euler protocols, bringing the total extracted value to over $200 million. The stolen funds were subsequently laundered through Tornado Cash.

Immediate Response and Damage Control

KelpDAO detected the exploit within approximately one hour, thanks to on-chain monitoring by security researchers including ZachXBT. The protocol immediately paused bridges on Ethereum and other supported chains, successfully blocking two follow-up attack attempts. KelpDAO has issued a public statement indicating openness to white-hat negotiations with the attacker.

Aave responded by freezing rsETH markets on both V3 and V4 across Ethereum and Arbitrum. Other protocols including SparkLend, Fluid, and Upshift also took preventive action. The incident left Aave with approximately $177 million in bad debt, primarily on Arbitrum, though the Ethereum mainnet markets remain collateralized but at risk of spillover effects. Lido paused earnETH deposits as a precautionary measure, while Ethena and USDT0 preemptively paused their bridges despite having no direct exposure.

Secondary risks emerged as ETH utilization spiked to 100% on Aave, potentially delaying liquidations and creating borrow incentive imbalances.

Current Status and Implications

As of April 19-20, 2026, bridged rsETH holders face potential haircuts of 15-20% pending any recovery efforts. The Aave community is actively discussing governance proposals for bad debt resolution, with debates ongoing about whether to treat Arbitrum and Ethereum mainnet positions separately.

The incident serves as a stark reminder for DeFi projects to audit their OApp configurations and implement multi-DVN setups with 3-4 required verifiers rather than relying on single points of failure. Fortunately, no other LayerZero OFT projects have been affected by this specific vulnerability.

Security researchers expect full root cause analyses to be published in the coming days. Users are advised to monitor official channels from KelpDAO, Aave, and security analysts like ZachXBT for real-time updates on the situation.