On April 19, Kelp DAO’s LayerZero-powered bridge was drained of 116,500 rsETH, worth approximately $292 million. The attack, attributed to North Korea’s Lazarus Group by LayerZero, sent shockwaves through the entire DeFi ecosystem: within 48 hours, Aave lost $8.45 billion in deposits and total DeFi TVL fell by $13.21 billion.
Key Takeaways
- 116,500 rsETH stolen via a LayerZero flaw on April 19 ($292M)
- DeFi TVL down $13.21 billion in two days; Aave exposed to up to $230M in potential losses
- Arbitrum froze $71M linked to the exploit; LayerZero and Kelp exchange blame
A Flaw in the Cross-Chain Messaging Layer
At 5:35 UTC on April 19, an attacker drained 116,500 rsETH from Kelp DAO’s LayerZero bridge.
The amount represents roughly 18% of rsETH’s 630,000-token circulating supply and, at prevailing prices, exceeds $292 million.
This makes the Kelp exploit the largest DeFi hack of 2026, surpassing Drift by several million dollars.
The mechanics were precise. The attacker compromised two RPC nodes and launched a distributed denial-of-service attack to force a failover.
This tricked LayerZero’s verifier into approving a fraudulent cross-chain transaction. The messaging layer then released rsETH to an attacker-controlled address without triggering any alert before the funds were already gone.
Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes later, at 6:21 PM.
The response was swift but insufficient: the $292 million had already been dispersed across twenty blockchains.
It stands as the largest DeFi exploit of the year, surpassing Drift by a few million dollars.
LayerZero released a preliminary attribution linking the attack to North Korea’s Lazarus Group based on on-chain flow analysis.
However, Kelp and LayerZero have since traded blame publicly. LayerZero argues that Kelp’s configuration was flawed. Kelp counters that LayerZero’s default settings were what made the attack possible.
This dispute between two audited, established protocols points to a structural blind spot in the modular security model: the security of any protocol depends on every layer it assembles, with no unified minimum standard across the stack.
In the week before the exploit, rsETH was one of the most widely used restaking assets as collateral on DeFi lending platforms. This position as a liquidity hub explains the speed at which contagion spread through the ecosystem.
The Shockwave: Aave and $13 Billion Erased
The damage did not stop at Kelp. Within 48 hours, Aave recorded $8.45 billion in deposit outflows.
A $300 million borrowing spike on the platform signaled intense pressure on existing positions and a broad flight to liquidity.
Aave’s exposure to the Kelp fallout could reach $230 million, according to analyses published in specialized outlets.
Total DeFi TVL declined by $13.21 billion over the period, erasing weeks of institutional deposit recovery across the ecosystem. User reaction was immediate and sharp.
The phrase “DeFi is dead” spread widely in the community, reflecting deep distrust of cross-chain architectures following an incident of this scale.
The modular design, often presented as a composability advance, is now under scrutiny. Stacking security layers from different providers without a unified minimum standard creates attack surfaces that standard audits and bug bounties do not fully cover.
The fact that both Kelp and LayerZero are audited, established protocols makes the situation more alarming, not less.
Restaking protocols mechanically amplify this risk. By chaining liquidity layers (native ETH, then stETH, then rsETH used as collateral on Aave), every link in the chain becomes a potential contagion vector.
A single point of failure was enough to trigger a cascade reaction across twenty blockchains simultaneously.
Also worth checking on Cryptonomic:
- Why Is Vitalik Buterin Selling All His Ethereum?
- Be careful if you hold the ONDO cryptocurrency
- Did the US government lose $40 million in Bitcoin?!
Partial Recovery and Structural Questions for Bridges
On April 21, Arbitrum’s Security Council took a notable step: it froze 30,766 ETH (approximately $71 million) linked to the exploit and transferred the funds to a governance-controlled wallet.
This represents a recoverable fraction of the stolen amount, but it also highlights an uncomfortable reality: Arbitrum has an active Security Council capable of moving quickly. Not every chain affected by the hack does.
Recovery remains fragmented. Funds are dispersed across twenty blockchains, and any coordination between Security Councils runs up against the fragmentation of cross-chain governance.
The Kelp exploit exposes this structural problem directly: bridges concentrate systemic risk in a theoretically decentralized ecosystem, with no coordinated response mechanism at scale.
Over the medium term, the incident reignites the debate over security standards for cross-chain infrastructure.
Independent audit requirements for bridges could be formalized before any major institutional deployment.
Restaking protocols will also face renewed scrutiny from institutional actors who had begun integrating them into on-chain yield strategies.
Regulatory pressure on cross-chain bridges, largely absent from legislative texts currently under discussion in the US and Europe, may accelerate following this incident.
The argument that losses remain contained to consenting users becomes difficult to sustain when contagion erases $13.21 billion in TVL in two days.
Follow the story on Cryptonomic.
