TL;DR

  • 🔴 Approximately $292 million in rsETH was stolen from Kelp DAO on April 18, 2026
  • 🔴 LayerZero points to weak security setup at Kelp DAO; Kelp DAO points back to LayerZero
  • 🔴 Aave froze rsETH markets and experienced billions in outflows following the attack
  • 🔴 The DeFi sector has now lost over one billion dollars in exploits so far in 2026

One of DeFi's Largest Heists in 2026

On the night of April 18, 2026, the liquid restaking protocol Kelp DAO was hit by a sophisticated attack that resulted in 116,500 rsETH — equivalent to an estimated $292–294 million — being drained from the system. According to security firm Cyvers, the funds were quickly converted back to ETH and distributed between the Ethereum mainnet and Arbitrum.

The attack is among the largest single exploits in DeFi history and contributes to total losses in the sector now exceeding one billion dollars in just the first few months of 2026, according to The Block.

Over one billion dollars lost in DeFi exploits so far in 2026
292 Million Dollars Stolen: Kelp DAO, Aave, and LayerZero Argue Over Blame

How the Attack Was Carried Out

The attackers compromised RPC (remote procedure call) nodes used by LayerZero's verification system. Malicious binaries were then distributed to manipulate transaction data, and a coordinated DDoS attack forced the system to fall back to the compromised infrastructure. The result was that the system accepted forged cross-chain messages, enabling unlimited and unbacked minting of rsETH.

In its post-mortem, LayerZero, with what they themselves describe as “preliminary security,” identified North Korea's Lazarus Group — specifically the subgroup TraderTraitor — as responsible for the attack.

$292M
Stolen in rsETH
116,500
rsETH tokens drained
292 Million Dollars Stolen: Kelp DAO, Aave, and LayerZero Argue Over Blame

Blame Debate Among Three Actors

LayerZero: Points to Kelp DAO's Configuration

LayerZero claims that the technical root cause was Kelp DAO operating with a “1-of-1 verifier” configuration — meaning LayerZero Labs alone was responsible for all verification of messages to and from the rsETH bridge. The protocol further states that they had repeatedly advised Kelp DAO to implement a setup with multiple independent verifiers to avoid such a single point of failure. LayerZero emphasizes that their protocol code and private keys were not compromised, and warns that they will no longer sign messages for projects using a single-verifier configuration.

Kelp DAO: Blames LayerZero's Infrastructure

Kelp DAO, for its part, describes the incident as an “infrastructure breach at LayerZero Labs,” stating that they detected suspicious cross-chain activity and immediately paused rsETH contracts on the mainnet and several Layer 2 solutions while collaborating with security experts.

Aave: Froze the Market to Limit Damage

Aave, one of DeFi's largest lending platforms, was drawn into the crisis due to its exposure to rsETH. Aave founder Stani Kulechov clarified on X that Aave's own contracts were not attacked, and that the freezing of rsETH markets was a measure to support Kelp DAO's investigation. Nevertheless, the incident triggered massive outflows from lending protocols across the DeFi ecosystem. DeFiLlama developer 0xngmi pointed to this as a clear example of the systemic risk arising from DeFi's tight interconnections.

TVL Falls to One-Year Low

The exploit and the subsequent liquidity crisis have had noticeable consequences for the entire DeFi sector. Ethereum's total value locked (TVL) has fallen by almost 18 percent in the last month, and the sector's overall TVL is now at its lowest level in a year, according to The Block.

The broad decline reflects not only the Kelp DAO loss in isolation but also the erosion of trust and the automatic risk reaction that occurs when large protocols with cross-chain exposure are affected.

The DeFi Insurance Market: Still Weak

The incident once again highlights the persistent lack of adequate risk coverage in DeFi. Platforms like Nexus Mutual have built insurance infrastructure for precisely such scenarios, but the market still covers a vanishingly small proportion of the total DeFi market. According to available data, decentralized insurance accounted for less than one percent of DeFi's total TVL as recently as 2022, and growth since then has not kept pace with the accumulating exposure.

It is currently unclear whether Kelp DAO users will receive compensation, and the question of liability between Kelp DAO, LayerZero, and any insurance schemes remains unresolved.

What Happens Next?

LayerZero has decommissioned the compromised RPC nodes and resumed normal DVN operations while collaborating with law enforcement to trace the funds. Kelp DAO has not yet announced a concrete compensation plan. The question of liability appears to be a lengthy legal and technical process — and the outcome could have implications for how cross-chain infrastructure is secured and who bears the risk in the future.