KuCoin
Log In
language_currency
Home
Blog
Market Insight
Details
img

What Is KelpDAO? How Its $292M Hack Shook the Crypto Market in 2026

2026/04/28 06:33:02
Custom
What if a single forged transaction could drain nearly $300 million from a DeFi protocol in under an hour — and then trigger a cascading crisis across 9 other platforms?
 
That is exactly what happened on April 18, 2026. An attacker exploited Kelp DAO's LayerZero-powered bridge to drain 116,500 rsETH — about $292 million, representing roughly 18% of the token's circulating supply — triggering an emergency pause of core contracts. The event instantly became the largest DeFi exploit of 2026, rattling investor confidence from Ethereum mainnet to more than 20 Layer-2 networks.
 
To understand why this matters so deeply, you first need to understand what KelpDAO actually is, how it built one of DeFi's most interconnected ecosystems, and why a single weak link in its cross-chain infrastructure was enough to expose the entire sector's structural vulnerabilities.

Key Takeaways

  • KelpDAO is a liquid restaking protocol built on EigenLayer, allowing users to earn staking rewards while keeping their assets liquid via its rsETH token.
  • On April 18, 2026, attackers exploited a bridge vulnerability to mint 116,500 unbacked rsETH tokens worth ~$292 million — the largest DeFi hack of 2026.
  • The hack was linked to North Korea's Lazarus Group, who used the stolen tokens as fake collateral on Aave to drain real ETH.
  • At least 9 DeFi protocols were affected, Aave's TVL dropped by $10 billion, and April 2026 became the worst month for crypto hacks in over a year.
  • A recovery initiative called "DeFi United" was launched, with Lido Finance, EtherFi, and Aave founder Stani Kulechov coordinating to cover the shortfall.

What Is KelpDAO?

KelpDAO is a liquid restaking protocol built on Ethereum that allows users to maximize their staking rewards without sacrificing asset liquidity. Instead of locking ETH in traditional staking, Kelp DAO lets users restake their liquid staking tokens (LSTs) from providers like Lido and Rocket Pool to earn additional rewards through EigenLayer.
 
In simple terms, KelpDAO operates as a "DeFi amplifier." You deposit staked ETH (such as stETH or cbETH), the protocol delegates it to EigenLayer operators, and in return, you receive rsETH — a yield-bearing liquid restaking token.
 

What Is rsETH?

rsETH is a token representing a claim on the restaked position plus accrued yield. By April 2026, rsETH had crossed $1 billion in TVL and was integrated as collateral across most of the major lending markets and yield venues in DeFi.
 
Because rsETH is liquid, users can trade it, borrow against it, or use it in yield strategies — all while continuing to earn EigenLayer rewards in the background. This "double-dipping" mechanism made KelpDAO one of the most popular liquid restaking protocols in the ecosystem.
 

KelpDAO's Key Features

KelpDAO issues rsETH and operates Gain Vaults — automated yield and airdrop points optimizers for Layer-2 networks. Users can deposit ETH, stETH, ETHx, and rsETH into Gain Vaults to earn additional yield hands-free.
 
The protocol operates across more than 10 networks and had amassed over $2 billion in Total Value Locked (TVL) before the exploit. With integrations spanning Aave, Arbitrum, Base, Linea, and Mantle, rsETH had become deeply embedded across the DeFi stack.

The April 2026 KelpDAO Hack: What Happened?

The Attack Vector: A 1-of-1 Bridge Flaw

The attack unfolded in stages: attackers compromised RPC nodes used by LayerZero's verification system, deployed malicious binaries to manipulate transaction data, executed a coordinated DDoS attack that forced fallback to compromised infrastructure, and finally caused the system to accept forged cross-chain messages — resulting in 116,500 rsETH minted without any backing.
 
The critical failure point was KelpDAO's verification configuration. On-chain forensics described the attack vector as surgical: tainting internal RPCs while performing a DDoS attack on external ones, exploiting a 1-of-1 DVN (Decentralized Verifier Network) verification configuration. One verifier. One point of failure.
 
This meant a single compromised node was all it took to approve a fraudulent cross-chain transaction worth hundreds of millions of dollars.

The Timeline

At April 18, 2026 at 17:35 UTC, the attacker exploited the bridge. The emergency pauser multisig paused Kelp DAO's core contracts 46 minutes later, at 18:21 UTC. Two subsequent drain attempts were made at 18:26 and 18:28 UTC, each attempting to drain an additional 40,000 rsETH — both reverted.
 
The speed of the attack was staggering. In under an hour, the attacker had minted fake tokens, used them as collateral on Aave, and drained real ETH from the largest DeFi lending protocol in existence.

From Bridge Exploit to Aave Crisis

The hack did not stop at KelpDAO. The attacker deposited nearly 90,000 rsETH into Aave as collateral, borrowing about $190 million in ETH and other assets across Ethereum and Arbitrum. That left Aave with impaired collateral, triggering a run on deposits as lenders rushed to withdraw available funds.
 
The total value of assets on Aave plunged by $10 billion following the incident, with the total bad-debt hole estimated at more than 112,000 rsETH, according to Aave's incident report.
 
As panic spread during Asian trading hours on Sunday, Aave's native token dropped by 20%.

The Ripple Effect: How the Hack Hit the Broader DeFi Ecosystem

9 Protocols Affected, $13 Billion in Withdrawals

Aave V3 froze rsETH markets, SparkLend froze exposure, while Fluid, Compound, Euler, and others moved to contain risk. At least 9 protocols were affected. DeFi deposits dropped by $13 billion in 48 hours as users rushed to pull their funds before someone else did. For every dollar hackers stole in April, DeFi users pulled roughly 20 more out of the system. This amplification effect — where one exploit causes a far larger flight of capital — is precisely what makes bridge hacks so destructive. They do not just steal value; they destroy confidence.

rsETH Stranded on 20+ Chains

Because the bridge held reserves backing rsETH on more than 20 networks, the loss raised doubts about the backing of rsETH on Layer 2s and sparked a wave of market freezes by protocols including Aave, SparkLend, and Fluid. Holders of rsETH on Arbitrum, Base, Mantle, Linea, and other bridged chains were left sitting on tokens that could no longer be confidently redeemed against a 1:1 claim on Ethereum escrow. Withdrawals were paused and liquidity evacuated from DEX pools.
 

KernelDAO Caught in the Crossfire

KelpDAO operates under the broader KernelDAO ecosystem. The KERNEL token crashed 19.9% in the seven days following the attack. KernelDAO's market cap fell to around $20 million — making the protocol's market cap 48 times smaller than its TVL.

Who Was Behind the KelpDAO Hack?

KelpDAO was drained of roughly $290 million on April 18 after attackers, likely North Korea's Lazarus Group, compromised RPC nodes and exploited a single-verifier cross-chain setup to mint 116,500 unbacked rsETH tokens. LayerZero, whose messaging infrastructure was used, stated its core protocol was not at fault.
 
Lazarus Group has been draining crypto for a decade. In 2025 alone, they took about 59% of every dollar stolen in the entire industry. They drained $285 million from Drift Protocol and $292 million from KelpDAO in April 2026, and both attacks were set up through months of social engineering.
 
This is a critical shift in the threat landscape. As Immunefi founder Mitchell Amador noted, with code becoming harder to exploit, the main target for hackers in 2026 is people. The bridge infrastructure itself was not necessarily broken — it was the humans operating the verification nodes who were deceived.

April 2026: The Worst Month for Crypto Hacks in Over a Year

The KelpDAO hack did not occur in isolation. April 2026 is now the worst month for crypto hacks in over a year, with $606 million drained across 12 incidents. This is already 3 times more than all hack incidents in Q1 combined, and the month wasn't over.
 
Other April incidents included a $1.2 million domain hijacking attack on DEX aggregator CoW Swap, a $18.4 million oracle manipulation on the NEAR network, and a $1.6 million flash loan attack on Binance Smart Chain. DeFi's total locked value has since fallen from $166 billion to $89 billion — a staggering drop that reflects the scale of the confidence crisis gripping the sector.

The Recovery Effort: "DeFi United"

Aave and several major crypto firms are coordinating a recovery effort dubbed "DeFi United" to stabilize DeFi markets after the exploit left the sector's largest lender grappling with a large shortfall. Lido Finance, EtherFi, and Aave founder Stani Kulechov are among those who proposed putting forward ETH to cover the hole.
 
On April 21, Arbitrum's Network Security Council froze 30,766 ETH ($71 million) worth of attacker funds from the exploit, recovering approximately 25% of the stolen assets. Recovery will be slow. Whether rsETH can fully restore its peg, and whether KelpDAO can rebuild user confidence while honoring redemptions, remains an open question heading into Q2 2026.

Why Do Bridge Hacks Keep Happening?

Crypto bridge hacks like the $292 million Kelp DAO exploit keep happening because bridges rely on trusted intermediaries and external data sources rather than fully verifying blockchain activity, creating easy opportunities for attackers to manipulate. The problem is structural, not just bugs or mistakes.
 
Bridge hacks rarely stay contained. Bridged assets are used across lending protocols, liquidity pools, and yield strategies. If those assets are compromised, the damage spreads. As 1inch co-founder Sergej Kunz explained: "Other platforms may treat a hacked asset as legitimate. That's how contagion happens."
 
Cross-chain bridges have been the single most exploited piece of infrastructure in crypto since 2021, with over $2.8 billion drained from them — roughly 40% of every dollar stolen in Web3. The KelpDAO incident is not an anomaly — it is the continuation of a structural problem that has persisted for years, and the industry has yet to deliver a comprehensive solution.

What the Hack Means for DeFi's Future

Trust in DeFi has "eroded," and Ledger's VP of Security Charles Guillemet warned that 2026 will "most likely be the worst year in terms of hacks, again." However, not all experts are pessimistic. Curve Finance's Michael Egorov acknowledged the silver lining: "Crypto is a harsh environment which no bank would have survived — yet we are working with that. I think DeFi will learn from this incident and become stronger than before."
 
The KelpDAO saga is accelerating conversations about multi-signer bridge designs, mandatory security audits for cross-chain configurations, and stricter collateral onboarding standards for lending protocols. Whether those conversations produce real changes in time to prevent the next major exploit is the defining question for DeFi in 2026.

How to Trade DeFi and Ethereum-Ecosystem Tokens on KuCoin

The KelpDAO hack has reignited interest in understanding how liquid restaking protocols, Ethereum derivatives, and DeFi governance tokens are priced and traded. If you want to position yourself around these fast-moving market events — whether trading AAVE, monitoring ETH volatility, or exploring restaking-adjacent tokens — KuCoin offers deep liquidity for the tokens at the center of this story.
 
KuCoin's spot and futures markets allow you to trade AAVE, ETH, and a wide range of DeFi tokens with competitive fees. The platform also provides real-time market data and news alerts — especially useful during crisis events like the KelpDAO hack when token prices can swing 20% in hours. New users can sign up on KuCoin and access a full suite of trading tools to navigate volatile market conditions as the DeFi sector continues to evolve.
 

Further Read:

Conclusion

KelpDAO built one of DeFi's most ambitious liquid restaking ecosystems, giving users the ability to earn layered Ethereum rewards while maintaining token liquidity through rsETH. But its April 2026 bridge exploit exposed a critical truth: in an interconnected DeFi environment, a single misconfigured verifier node can become a $292 million vulnerability.
 
The hack — the largest in 2026, attributed to North Korea's Lazarus Group — cascaded instantly across 9 protocols, triggered a $10 billion withdrawal wave from Aave, and pushed April 2026 to the worst month for crypto hacks in over a year. A coordinated recovery through "DeFi United" is underway, with Arbitrum freezing roughly $71 million of attacker funds, but the path to full restitution remains uncertain.
 
For the broader crypto market, the KelpDAO incident is both a warning and a forcing function. Bridge infrastructure must be redesigned with multiple independent verification layers, lending protocols need more conservative collateral standards, and the industry must treat state-sponsored hacking groups like Lazarus as a permanent adversary. The DeFi ecosystem that emerges from this crisis — if it does — will likely be more resilient, but the road there will be painful.

FAQs

Is KelpDAO still operating after the hack?

KelpDAO paused its core contracts across mainnet and several Layer-2s immediately after the exploit was detected. The team confirmed it is working with LayerZero, Unichain, its auditors, and security experts on recovery. Whether full operations resume depends on the outcome of the "DeFi United" recovery initiative and whether rsETH can restore its 1:1 peg.
 

Was LayerZero itself hacked in the KelpDAO exploit?

LayerZero stated that its core protocol was not at fault. The vulnerability stemmed from KelpDAO's specific configuration of LayerZero's cross-chain messaging — specifically the use of a single-verifier (1-of-1 DVN) setup, which created a single point of failure that attackers exploited.
 

What happened to rsETH's value after the hack?

After the hack, rsETH's value and peg came under severe pressure. Withdrawals were paused across more than 20 chains, and liquidity fled from DEX pools. Mainnet rsETH remains backed by legitimate user deposits in EigenLayer, but bridged rsETH on Layer-2 networks lost its reliable 1:1 redemption claim, leaving holders stranded.
 

How can DeFi users protect themselves from similar hacks in the future?

Users should diversify exposure across protocols, avoid concentrating liquidity restaking tokens as collateral on lending platforms, and monitor bridge security disclosures closely. Prioritizing protocols with multi-verifier bridge designs, active bug bounty programs, and transparent security audits significantly reduces — though never eliminates — exposure to bridge-related exploits.
 
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency investments carry significant risk. Always conduct your own research before trading.