DeFi Collapse: $13 Billion Vanishes in Two Days After KelpDAO Hack

TL;DR

• KelpDAO was subjected to an exploit on April 18, 2026, which stole approximately $293.7 million in the liquid restaking token rsETH
• The attackers exploited a weakness in the LayerZero bridge's configuration setup and managed to mint 116,500 unbacked rsETH tokens
• At least nine DeFi protocols were affected, including Aave V3/V4, SparkLend, Fluid, and Compound V3
• DeFi's total TVL fell by over $13 billion in two days — the largest drop in the sector so far in 2026

It Started with One Bridge and One Misconfiguration

On April 18, 2026, the liquid restaking protocol KelpDAO was hit by what is now described as 2026's largest crypto hack by dollar value. According to research related to the case, the attackers succeeded in stealing the equivalent of $293.7 million in the protocol's native token, rsETH.

The core of the vulnerability lay in how KelpDAO had configured its LayerZero Omnichain Fungible Token adapter. The protocol used a so-called 1-of-1 Decentralized Verifier Network (DVN) architecture — meaning a single verifier without redundancy. LayerZero itself recommends using multiple DVNs to prevent precisely this type of attack.

A single forged signature was enough to instruct the escrow contract to release unbacked rsETH tokens on the Ethereum mainnet.

The attackers compromised the DVN node by poisoning the underlying RPC infrastructure, combined with DDoS attacks that redirected the system towards malicious nodes. This allowed them to forge cross-network transactions and mint 116,500 unbacked rsETH tokens. The attack wallets were funded via the crypto mixer Tornado Cash to conceal their tracks.

LayerZero Labs confirmed to CoinDesk that the attack is linked to the Lazarus Group, also known as TraderTraitor, and clarified that it was not the protocol itself that had an inherent weakness — but KelpDAO's specific application configuration.

The Contagion Effect: From One Hack to Ten Protocols

What started as an isolated exploit quickly escalated into a sector-wide event. The attackers used the stolen rsETH tokens as collateral in the lending protocol Aave V3, borrowing over $236 million in Wrapped Ethereum (WETH). This created unbacked debt in the system.

Aave's WETH pool utilization reached 100 percent in the wake of the incident. The TVL drop for Aave alone was estimated at $8.4 billion, according to available research.

$13 Billion Vanished in 48 Hours

The total TVL decline in DeFi across affected protocols exceeded $13 billion over two days, according to CoinDesk. Interestingly, token prices remained relatively stable — it was the liquidity and deposited value that evaporated, not necessarily the market value of the underlying tokens.

This illustrates one of the more underestimated risks in DeFi: systemic contagion through shared liquidity pools and cross-protocol integrations. When rsETH served as collateral in a dozen different protocols, a single compromised asset turned into a domino effect.

LayerZero Announces Measures

LayerZero Labs has announced, according to CoinDesk, that they will accelerate the migration of all single-DVN configurations to a multi-DVN architecture. In the meantime, signature and verification services for applications with 1-of-1 configurations have been suspended.

Aave's founder Stani Kulechov emphasized that Aave's core protocols were not directly exploited, but that the problem was related to rsETH as an asset. This is a distinction that nevertheless offers little comfort to users with funds tied up in frozen markets.

The incident once again highlights the risk of single points of failure in bridge infrastructure — and raises questions about DeFi protocols' due diligence processes for which assets they accept as collateral.