2026 Major Security Incident Erupts: Kelp DAO rsETH Cross-Chain Bridge Hacked, Losses Up to $293 Million, Aave and Other DeFi Protocols Suffer Massive Bad Debts

Overview | Grok

Editor | Wu on Blockchain

April 19 (the event actually occurred around 17:35 UTC on April 18), the crypto community was fully flooded with posts about the Kelp DAO rsETH cross-chain bridge being exploited on a large scale.

This is the largest DeFi security incident since 2026, with losses estimated at approximately $292–293 million, directly involving about 116.5k rsETH (accounting for roughly 18% of the total rsETH circulating supply).

Hackers forged messages via a LayerZero-powered cross-chain bridge, minting a large amount of rsETH on the Ethereum mainnet without real collateral backing, then depositing these “air assets” as collateral into mainstream lending protocols like Aave, Compound, Euler, etc., borrowing about $236 million in real WETH/ETH and other high-quality assets, leading to a total bad debt risk of approximately $177–280 million across multiple protocols. The incident quickly trended on X (formerly Twitter), with discussions in Chinese and English communities surpassing 116.5k within hours, sparking widespread doubts about cross-chain bridge security, re-staking LRT mechanisms, and systemic risks in DeFi.

Complete Timeline of the Incident

Around 17:35 UTC on April 18: Attack officially begins. Hackers exploit a configuration vulnerability (1/1 DVN, i.e., single decentralized validation node setup) in Kelp DAO on the LayerZero cross-chain bridge, forging cross-chain messages and calling the lzReceive function on Ethereum mainnet to release 116.5k rsETH without real backing. Multiple on-chain trackers on X (e.g., @zachxbt) immediately posted about the transaction hash and abnormal minting records.

Mid-attack: Hackers use privacy tools like Tornado Cash to obfuscate fund sources, then quickly deposit the forged rsETH into nine major lending protocols such as Aave V3, Compound, Euler, etc., as collateral to borrow large amounts of real ETH/WETH. Real-time posts on X show that the utilization rate of lending pools soared to nearly 100%, with some protocols experiencing daily outflows exceeding $6.6 billion.

Kelp DAO Response: About 46 minutes after the attack, the multi-signature wallet of Kelp DAO detected suspicious activity and urgently paused rsETH-related contract functions on the mainnet and multiple Layer 2 chains. The official X account promptly posted confirming “suspicious activity detected in rsETH cross-chain,” and announced that they had initiated a comprehensive investigation with LayerZero, auditors, and security experts.

From the night of April 18 to April 19: Aave’s official X account issued a statement, urgently freezing the rsETH collateral market to prevent further bad debt expansion. Protocols like Compound and Euler also followed suit, suspending or restricting related asset operations. LayerZero’s official X post responded with “aware of the incident and investigating the root cause.”

The entire process was recorded in real-time on X, with multiple KOLs sharing on-chain data, notably mentioning large holders like Justin Sun withdrawing funds en masse from Aave, further fueling market panic.

Technical Analysis (Developers and Security Researchers on X)

Based on multiple technical posts on X (such as @kittendong’s in-depth Chinese analysis), the core vulnerability lies in Kelp DAO’s configuration of LayerZero OApp (Omnichain Application): using a 1/1 DVN mode (single validation node), allowing hackers to forge cross-chain verification messages. By carefully crafting payloads, they triggered the minting of rsETH on the target chain without real cross-chain assets backing. Essentially, this mechanism let hackers “create” nearly $300 million worth of synthetic assets out of thin air.

Subsequently, the hackers used these rsETH as over-collateralized assets in lending protocols, borrowing real ETH, forming a typical “flash loan” style attack. Security researchers on X pointed out that this resembles the 2022 Nomad bridge incident, exposing systemic risks of the “cross-chain bridge + LRT (Liquid Restaking Token)” combination: rsETH as a re-staking derivative depends on underlying ETH staking, but the cross-chain minting process lacks sufficient decentralization verification and real-time endorsement checks.

Additionally, some posts suggest that hackers may have exploited private keys or configuration leaks in Kelp DAO’s contracts (still under investigation). The entire attack chain was efficient and low-profile, with gas costs obfuscated through multiple layers.

Official Responses and Emergency Measures

Kelp DAO: The official X post clearly states “rsETH contract functions on multiple chains have been paused to prevent further losses,” and commits to “collaborating with LayerZero, multiple auditors, and security experts to release an initial investigation report within 24–48 hours.”

LayerZero: The official account said “the team is fully investigating the root cause and will provide transparent updates as soon as possible,” also urging all projects integrated with LayerZero to immediately check their DVN threshold settings.

Aave: Announced on X “has frozen rsETH markets, with protocol liquidity safe,” but community remains concerned that potential bad debt could reach $280 million.

Other affected protocols (like Compound, Euler) also issued similar notices, with real-time posts on X showing at least 16 lending/DEX protocols have taken restrictive measures.

Market Impact and Chain Reactions

The incident caused severe shocks to the DeFi market:

Token Prices: AAVE token plummeted 17–19% within 24 hours, triggering mass liquidations; LayerZero’s native token ZRO also dropped about 20%; rsETH experienced severe de-pegging, with prices temporarily trading at a significant discount to ETH.

Liquidity Shock: ETH pools on protocols like Aave reached nearly 100% utilization, with daily outflows exceeding $6.6 billion, causing the total DeFi TVL to evaporate nearly $10 billion in a short period.

Contagion Effect: Multiple analysts on X drew “contagion maps,” indicating that bad debts could spread across the entire LRT ecosystem and cross-chain assets.

Historical Comparison: This event surpasses the $285 million loss from the Drift protocol 18 days ago, making it the largest single DeFi hack of 2026.

Many posts directly label LayerZero’s 1/1 DVN as a “time bomb,” calling for all cross-chain projects to upgrade to multi-validation nodes (at least 2/3 or higher threshold). Some developer posts emphasize “speed should not come at the expense of security.”

Risks of LRT and Synthetic Assets: The community generally agrees that re-staking assets like rsETH have insufficient transparency in cross-chain scenarios. Posts from @zachxbt and others stress that “LRT without real collateral is the biggest attack surface currently.”

Systemic DeFi Concerns: Several analysts simulated potential chain reactions, advising users to immediately review and withdraw exposed funds from protocols like Aave and Compound. Chinese comment sections are filled with phrases like “another billion-dollar bridge accident,” “Can we still trust DeFi?” and “Calling for higher security standards.”

Some posts praise Kelp DAO’s multi-signature governance for its quick response (pausing within 46 minutes), believing this incident will accelerate industry adoption of zero-knowledge proofs (ZK), multi-signature setups, and real-time monitoring solutions.

Overall sentiment is “shocked + cautious,” though some developers note “exposing problems early is better than hiding them, for long-term industry iteration.”

Lessons and Industry Recommendations

This Kelp DAO rsETH incident rings alarm bells again: even mainstream re-staking protocols have systemic vulnerabilities in cross-chain bridge design, validation node configuration, and collateral transparency. The X community consensus includes:

Projects should immediately audit their LayerZero integrations, prioritizing decentralized configurations.

Users should be cautious with newly launched cross-chain LRT assets, favoring projects with high TVL, transparent audits, and diversified holdings.

The industry needs to accelerate standardization of security frameworks, such as mandatory multi-DVN setups and on-chain real-time endorsement checks.

The investigation is ongoing; Kelp DAO, LayerZero, and affected protocols will continue to update on X. Crypto market volatility remains, and security is always the top priority. Participants are advised to closely follow official X accounts and avoid misinformation.