Year's Largest DeFi Hack Hits Ethereum Protocol
On the night of April 18, 2026, Kelp DAO, an Ethereum-based protocol for "liquid restaking," suffered what Decrypt now describes as the year's largest DeFi hack. A total of between $280 million and $294 million in the protocol's native token, rsETH, is estimated to have been drained from the system – a figure various analysis firms put at around $293.7 million.
Kelp DAO operates by allowing users to deposit liquid staking tokens like stETH or cbETH and receive rsETH in return, which represents a fraction of the underlying assets. This representation token was at the center of the attack.
Vulnerability in LayerZero Bridge Provided Attackers an Opening
According to technical analyses from the security community, the attack vector was not in Kelp DAO's core contracts, but in the protocol's cross-chain bridge built on LayerZero. The configuration utilized what is described as a 1-of-1 Decentralized Verifier Network (DVN) setup – in practice, this means that a single node, operated by LayerZero Labs, served as the sole validator.
This created a classic "single point of failure": one compromised node was enough to forge transactions. According to research material, the attackers funded wallets via Tornado Cash, forged a transaction, and sent a fake cross-chain message that triggered the transfer of 116,500 rsETH. Analysis firm D2 Finance has also speculated that a private key leak on the source chain may have been a contributing factor.
Contagion Effect: Aave and Others Shaken
The stolen rsETH tokens were quickly deposited into lending protocols such as Aave V3, Compound V3, and Euler, where the attackers borrowed large amounts of Wrapped Ether (WETH). This created what is described as a classic "cross-protocol contagion event" – one protocol's failure immediately spread to several others.
The subsequent wave of panic among ordinary DeFi users resulted in attempts to withdraw a total of $6.2 billion from Aave alone, according to Decrypt. Aave founder Stani Kulechov clarified that Aave's own smart contracts were not directly compromised, but that the problem was due to rsETH exposure.
Aave, SparkLend, and Fluid all froze their rsETH-related markets to limit the damage. Kelp DAO, for its part, has paused the rsETH contracts on the mainnet and several Layer 2 networks, and is now collaborating with LayerZero, Unichain, its auditors, and security communities to map out the incident.
Audits Insufficient: Experts Warn
Kelp DAO has publicly communicated that the protocol has undergone "multiple audits" and has an active bug bounty program. Nevertheless, these security measures failed to uncover the critical vulnerability – precisely because it lay in a third-party component, not in the protocol's own contracts.
The security community is clear that this points to a structural problem in the DeFi industry: marketing terms like "decentralized verifier networks" can conceal dangerous centralization if standard configurations are routed through a single operator node. Experts emphasize that future security audits must include not only smart contracts but also bridge design, third-party integrations, and the actual implementation of decentralization claims.
For users of liquid restaking protocols, this means that traditional checklists – audit reports, bug bounty programs, TVL size – are no longer sufficient. Cross-chain infrastructure and real dependencies must be scrutinized.
Situation Still Under Investigation
As of April 19, 2026, the investigation is ongoing. Neither Kelp DAO, LayerZero Labs, nor affected lending protocols have provided a final confirmed technical explanation of the cause. It is currently unclear whether any of the stolen funds can be traced or recovered. 24Krypto is following the case.
