#rsETHAttackUpdate

The rsETH Exploit: A Deep Dive into DeFi's Largest Hack of2026

On April18,2026, at approximately17:35 UTC, the decentralized finance ecosystem witnessed what has become the largest exploit of the year when attackers drained approximately116,500 rsETH tokens from Kelp DAO's LayerZero-powered bridge, representing roughly $292 million in value and about18% of the token's circulating supply. This incident has sent shockwaves through the entire DeFi landscape, triggering emergency responses across multiple protocols and exposing critical vulnerabilities in cross-chain bridge architecture.

**How the Attack Unfolded**

The exploit targeted Kelp DAO's LayerZero V2 Unichain to Ethereum rsETH route, which was configured with a critical security flaw: a1-of-1 Decentralized Verifier Network (DVN) setup. The attacker managed to forge an inbound packet from Unichain to Ethereum that was verified by a single DVN attestation without any corresponding source-side burn transaction. This malicious packet, bearing nonce308, tricked the Ethereum-side RSETH_OFTAdapter into releasing116,500 rsETH to the attacker's controlled address.

The bridge's fundamental invariant—that the amount of rsETH locked in the Ethereum adapter must always be greater than or equal to the total rsETH minted across all remote chains—was broken. The adapter balance plummeted from116,723 rsETH to just223 rsETH in a single block. The attacker attempted a second forged packet (nonce309) for an additional40,000 rsETH, but this execution reverted because Kelp had already initiated emergency freezing protocols.

**The DeFi Contamination Strategy**

Rather than simply holding the stolen assets, the attacker executed a sophisticated strategy to maximize extraction value. Within minutes, the116,500 rsETH was distributed across seven branch addresses. From there, the funds followed divergent paths: some were supplied as collateral on Aave V3 on Ethereum mainnet, others were bridged to Arbitrum to open positions on that chain, and some were routed through alternative venues.

The attacker deposited89,567 rsETH across Aave markets, borrowing approximately82,650 WETH worth $190.86 million and821 wstETH worth $2.33 million. The health factors of these positions settled between1.01 and1.03, indicating they were deliberately maintained near liquidation thresholds to maximize leverage while avoiding forced liquidations.

**Immediate Protocol Responses**

Aave's defensive mechanisms activated within hours of the exploit. At approximately19:00 UTC on April18, the Protocol Guardian froze all rsETH and wrsETH reserves across every Aave V3 deployment, setting loan-to-value ratios to zero. This action disabled new supply and borrowing while preserving existing position management capabilities. Affected markets spanned Ethereum Core, Ethereum Prime, Arbitrum, Avalanche, Base, Ink, Linea, Mantle, MegaETH, Plasma, and zkSync.

The Risk Steward implemented interest rate adjustments across multiple chains, reducing Slope2 to1.50% and bringing borrow rates at100% utilization down from8.5-10.5% to3.0% APR to ensure sustainability. By April20, WETH was frozen on Core, Prime, Arbitrum, Base, Mantle, and Linea to prevent the risk from spreading to other reserves including stablecoins.

Other protocols moved swiftly as well. SparkLend, Fluid, and Upshift paused their rsETH markets. Upshift specifically halted deposits and withdrawals to its High Growth ETH and Kelp Gain vaults, though its USDC and AUSD products remained unaffected due to lack of rsETH exposure.

**Current Financial Exposure and Bad Debt Scenarios**

As of the latest reports, no official decision by Kelp regarding loss allocation or recovery has been publicly confirmed. The current adapter balance of40,373 rsETH represents the only confirmed backing for all remote-chain rsETH across every L2 path, against total remote claims of152,577 rsETH. This creates a significant backing gap that could impact token valuations across the ecosystem.

The open variables affecting final resolution include the socialization boundary—whether any haircut applies to all rsETH holders or only those on affected chains, which alone changes the per-token impact by roughly five times—the size and timing of any recovery or recapitalization, redemption pricing mechanisms, and the treatment of rsETH minted via the compromised bridge path.

**Industry-Wide Recovery Efforts**

The response to this crisis has demonstrated the collaborative nature of the DeFi ecosystem. A coordinated "DeFi United" recovery fund has launched with significant contributions from major players. The Golem Foundation and Factory have pledged1,000 ETH, while Lido Labs committed $5.7 million. Aave founder Stani Kulechov personally contributed5,000 ETH to the recovery efforts. The Ink Foundation has provided undisclosed backing for restoration efforts, and over1,800 community participants voted unanimously for the rescue plan.

**Market Impact and Ongoing Risks**

The exploit triggered over $10 billion in withdrawals from Aave, with utilization rates on USDC, USDT, and wETH pools reaching100%. The AAVE token experienced an approximately11% decline following the incident. The rsETH token itself depegged significantly, trading as low as $1,723 at certain points.

Despite the severity, the situation has stabilized through coordinated DeFi community action. Markets remain collateralized despite high utilization, with focus now on orderly rsETH backing restoration. However, users should monitor official channels from Kelp DAO, Aave, and LayerZero for final resolutions, as the situation continues to evolve.

**Lessons and Implications**

This incident exposes fundamental vulnerabilities in cross-chain bridge architecture, particularly the risks associated with single-point-of-failure DVN configurations. The restaking design of rsETH amplified these risks, highlighting how collateral vulnerabilities can cascade through interconnected DeFi protocols. The attack demonstrates the critical importance of multi-signature verification, robust monitoring systems, and rapid response capabilities in decentralized finance infrastructure.

The rsETH exploit serves as a stark reminder that while DeFi offers unprecedented financial innovation, it also carries significant technical risks that require constant vigilance, robust security practices, and coordinated community response mechanisms to address effectively.