A coordinated attack on Kelp DAO’s cross-chain infrastructure drained $293 million on April 18, triggering one of the most severe contagion events in DeFi history. The exploit is now the largest of 2026, surpassing the $285 million Drift Protocol breach from just 18 days earlier.
How the Attack Worked
At 17:35 UTC, an attacker sent a crafted message to Kelp DAO’s LayerZero-powered cross-chain bridge. The bridge accepted it as legitimate and released 116,500 rsETH, worth about $293 million and roughly 18 percent of the token’s entire circulating supply, to a wallet funded through Tornado Cash ten hours earlier. No ETH ever changed hands on the other side, meaning rsETH was effectively created from nothing.
The attacker did not attempt to sell it. Instead, they deposited the unbacked rsETH into Aave V3 as collateral and borrowed real wrapped ether against it, then repeated the process on Aave V4. By the time Kelp’s emergency multisig froze the protocol’s core contracts 46 minutes later, the WETH was gone.
A Second Wave Stopped at the Last Moment
Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million. The emergency pause stopped them. Without that intervention, total losses could have approached $400 million.
North Korea’s Lazarus Group
LayerZero’s preliminary indicators suggest attribution to a highly sophisticated state actor, specifically North Korea’s Lazarus Group. The attack involved poisoning the downstream RPC infrastructure used by LayerZero’s verifier node, combined with a DDoS attack to force failover to the compromised endpoint.
Lazarus Group has now been linked to both the Drift Protocol exploit on April 1 and the Kelp DAO breach on April 18, meaning the same unit has drained more than $575 million from DeFi in 18 days through two structurally different attack vectors.
Why the Damage Spread
Kelp ran a 1-of-1 verifier configuration, making LayerZero Labs the sole entity verifying messages to and from the rsETH bridge. LayerZero states it had repeatedly recommended a multi-verifier setup to Kelp. Kelp did not adopt those recommendations.
DeFi platforms across more than 20 networks had widely accepted rsETH as high-quality collateral. When its backing broke, solvency concerns spread instantly to every platform that had trusted it.
Market Fallout
Aave’s TVL dropped from over $26 billion to approximately $22 billion. The AAVE token fell 20 percent in 24 hours. Over $5.4 billion in assets were withdrawn from the protocol as WETH pool utilization hit 100 percent. SparkLend and Fluid also froze their rsETH markets.
Cumulative DeFi losses for 2026 now stand between $450 and $482 million across roughly 45 protocols. At the current pace, 2026 is on track to set a new record for exploit volumes.
The Kelp DAO incident is not just a bridge failure. It is a structural warning about how interconnected DeFi has become, and how quickly a single configuration decision can become a system-wide event.