KelpDAO exploit: $292M minted through a 1-of-1 LayerZero bridge, $177M bad debt now lands on Aave Umbrella The biggest DeFi extraction of 2026 didn’t come from a contract bug. It came from a single line of config. At 17:35 UTC on April 18, an attacker pushed a forged lzReceive call through @KelpDAO LayerZero OFT adapter and minted 116,500 unbacked rsETH - roughly 18% of supply, ~$293.5M. One transaction, one signature. Root cause: the rsETH adapter was running requiredDVNCount: 1 with @LayerZero_Labs as the sole verifier. A $1B+ TVL protocol secured its bridge with a single point of failure. Cashout was textbook. Instead of dumping into DEX liquidity, the attacker used the unbacked tokens as collateral: • Aave Ethereum: borrowed 52,834 WETH • Aave Arbitrum: 29,782 WETH + 821 wstETH • Smaller positions on Compound V3 and Euler before they froze Total borrowed out: $200M–$236M, first hops routed through Tornado Cash within 20 minutes. KelpDAO paused contracts in 46 minutes, but positions already open on third-party lenders can’t be unwound. Aave, SparkLend, Fluid, Ethena, Yearn, Pendle, Beefy, and Lombard all froze rsETH exposure within hours. Every bridged rsETH across ~20 L2s is now structurally impaired. Who actually pays the ~$177M bad debt: Aave Umbrella WETH stakers on Ethereum and Arbitrum. This is Umbrella’s first real-money slashing event - automated, pro-rata, no governance vote. Combined vaults hold ~$260M TVL, putting the slash ratio at 60–70%. Stakers farming a few extra points on top of aWETH are about to lose two-thirds of their position overnight. Bridged rsETH holders take tier 2 pain with a 15–20% haircut as KelpDAO keeps mainnet rsETH whole. The lesson repeats. Contracts worked. EigenLayer was fine. LayerZero’s protocol was fine. The fault sat in the config - the part of the stack auditors don’t review. Before you treat a bridged LRT as 1:1 with its mainnet version, check how many DVNs secure it. That’s the difference between a yield trade and a total loss. Great report by @defiprime 🔗 https://t.co/f20MPysRPm
Share
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.