The @KelpDAO hack is one of the largest DeFi exploits of 2026, with losses estimated at $292–294 million (approximately 116,500 rsETH, representing ~18% of the total circulating supply). Key Events Timing: Around 17:35 UTC on April 18, 2026. The attacker exploited the rsETH bridge of KelpDAO, which relies on LayerZero’s cross-chain messaging. The hacker called the lzReceive function on LayerZero EndpointV2 and spoofed (faked) cross-chain messages to mint unbacked rsETH (rsETH without real underlying assets). The fake rsETH was then deposited into major lending protocols such as Aave V3, Compound, Euler, and others to borrow roughly $106–236 million in ETH/WETH. A large portion of the stolen ETH was transferred and potentially laundered (Tornado Cash was used earlier to fund the attacker’s wallet). KelpDAO quickly paused the rsETH contract on Ethereum mainnet and multiple Layer-2 networks. Several other protocols (Aave, SparkLend, Fluid, Upshift, Lido, Ethena, etc.) activated emergency freezes to limit further damage. Root Cause The primary cause was a critical security misconfiguration in the LayerZero bridge setup: LayerZero supports secure thresholds for Decentralized Verifier Networks (DVN), such as 2/2 or 3/3 (requiring multiple verifiers to be compromised). KelpDAO configured it as 1/1 (only one verifier needed), allowing the hacker to easily spoof messages. The $rsETH bridge adapter was directly exploited, enabling unlimited minting of fake rsETH. Consequences For KelpDAO: Loss of ~$292M in rsETH value, contracts paused, severe reputational damage, and rsETH losing its peg. Contagion effects: @aave V3 faced massive bad debt (~$200–290M on WETH pools) because fake rsETH was used as collateral to borrow real ETH. WETH lenders on Aave were urged to withdraw funds immediately. At least 9 other protocols (Aave, Compound, Morpho, SparkLend, etc.) were impacted. Wrapped ETH became stuck on over 20 chains. Market impact: $AAVE token dropped sharply (~10–15%). @LayerZero_Core 's $ZRO token also declined significantly. Negative sentiment across DeFi, with many users withdrawing liquidity from lending protocols. The attacker has moved a large portion of the ETH, but some markets remain frozen to contain the damage. The incident is still under investigation (on-chain analysts like ZachXBT are actively tracking it). It serves as a major reminder of the risks associated with cross-chain bridges and liquid restaking tokens when integrated into lending protocols without robust controls. If you hold positions related to rsETH, Aave WETH pools, or ETH-related lending vaults, it is advisable to check and consider withdrawing to avoid bad debt or prolonged freezes. The situation may continue to develop in the coming hours.