TL;DR

  • Attackers stole approximately 116,500 rsETH — worth about $292 million — from Kelp DAO's cross-chain bridge
  • Tokens were used as collateral on Aave V3 to borrow WETH, creating significant losses of unsecured debt
  • Kelp DAO froze core contracts, Aave closed rsETH markets, and users were urged to withdraw WETH immediately
  • The attack affected infrastructure built on LayerZero and spread across 20 different blockchains

The Year's Largest Crypto Exploit is a Reality

On the night of Saturday, April 18, 2026, Kelp DAO was hit by what is now described as the largest single attack in the crypto industry so far this year. According to CoinDesk, just over 116,500 rsETH — equivalent to approximately $292 million — was drained from the protocol's LayerZero-powered cross-chain bridge. This accounts for about 18 percent of the total circulating supply of rsETH.

The attacker funded the initial wallets via Tornado Cash and exploited a vulnerability in LayerZero's messaging layer to trick the system into releasing funds without actual backing.

$292 million disappeared from Kelp DAO's bridge in hours — spread across 20 blockchains

How the Attack Worked

rsETH is a Liquid Restaked Token (LRT): it represents ETH restaked through EigenLayer across multiple Actively Validated Services (AVSs), and is intended to maintain a soft peg to the ETH price. According to available research data, Kelp DAO's total market value for rsETH had been around $1.58 billion before the attack.

The attacker managed to extract rsETH from the bridge without the underlying ETH funds actually accompanying them. The released, unbacked tokens were then deposited as collateral on Aave V3 — one of DeFi's largest lending platforms — to borrow large amounts of Wrapped Ether (WETH).

The result was dramatic: since the collateral was no longer real, Aave was left with loans that cannot be liquidated in the usual way, and WETH reserves are burdened with significant unsecured debt.

$292M
Stolen Value
18%
Share of rsETH Supply

Crisis Management Across DeFi

Kelp DAO reacted quickly and paused core contracts after the attack was discovered. According to CoinDesk, this prevented further attack rounds. The protocol team immediately initiated cooperation with LayerZero and Unichain to investigate the incident.

Aave froze its rsETH markets, as did SparkLend, Fluid, and Upshift. Solidity developer and auditor 0xQuit issued a clear warning:

"If you have WETH on Aave V3 Core, withdraw it now." — 0xQuit, Solidity Auditor

The warning was supported by Aave founder Marc Zeller, who reiterated the call for immediate withdrawal. According to CoinDesk, the attack affected infrastructure across 20 separate blockchains, underscoring the complexity of cross-chain security challenges.

LayerZero Under Pressure — Again

This is not the first time LayerZero infrastructure has been linked to serious security incidents. In September 2025, Griffin AI's $GAIN token was exploited via a flaw in LayerZero's cross-chain bridge, where attackers minted five billion fake tokens and earned around $3 million. Security firm CertiK then pointed to a critical weakness in LayerZero's peer initialization as the root cause.

LayerZero operates with what the protocol itself refers to as 'configurable trustlessness,' where applications can define their own security model via decentralized verification networks (DVNs). This model offers flexibility, but also implies that the responsibility for an attack largely rests with the application itself — not LayerZero Labs directly.

DeFi Composability as a Double-Edged Sword

The attack illustrates one of the most discussed risks in decentralized finance: composability. The fact that protocols are built on top of each other provides efficiency and innovation power, but also means that a failure in one link can spread rapidly and uncontrollably to connected systems — without natural brakes or emergency exits.

Research data related to this incident indicates that LRTs like rsETH are exposed to multiple layers of risk simultaneously: smart contract vulnerabilities, liquidity stress, slashing risk from EigenLayer operators, and governance vulnerability. The combination of these factors, put under pressure by a single exploit, can trigger chain reactions of the type we have now witnessed.

As the investigation is ongoing in cooperation between Kelp DAO, LayerZero, and Unichain, it is unclear at the time of publication whether any of the stolen funds can be traced or recovered.