#rsETHAttackUpdate

rsETH Attack Update: April 26, 2026

On April 18, 2026, at approximately 17:35 UTC, attackers exploited a critical vulnerability in Kelp DAO's LayerZero V2 cross-chain bridge for rsETH. This incident stands as the largest DeFi exploit of 2026 to date, with approximately 116,500 unbacked rsETH minted and drained—valued at roughly $292-293 million at the time of the attack, representing about 18% of rsETH's circulating supply.

How the Attack Worke

The exploit targeted Kelp's rsETH bridge mechanism, which uses a LayerZero lock-and-mint system. Under normal operation, funds are locked on the source chain and minted on the destination chain, with verification handled by a Decentralized Verifier Network. The vulnerability lay in the Unichain to Ethereum route, which was configured with a single verifier node rather than a multi-signature quorum.

Attackers, attributed to North Korea's Lazarus Group and its TraderTraitor sub-group, compromised two LayerZero Labs RPC nodes. They injected forged data simulating an rsETH burn on Unichain while simultaneously launching DDoS attacks on external RPCs to force failover to their compromised infrastructure. This manipulation tricked the lone verifier into approving a fraudulent LayerZero packet, releasing funds without any actual burn transaction occurring on the source chain.

Importantly, this was not a smart contract bug but rather an off-chain infrastructure attack involving RPC poisoning. The malware employed self-deleted after the exploit. A second attempted attack targeting approximately 40,000 rsETH valued at $95-100 million was successfully blocked by Kelp's emergency pause mechanism.

**Immediate Response and Market Impact**

Within one to two hours of detection, multiple protocols implemented emergency measures. Kelp DAO paused rsETH contracts across Ethereum and all Layer 2 networks while blacklisting attacker addresses. Aave V3 and V4 froze rsETH and wrsETH markets, setting loan-to-value ratios to zero, and later froze WETH on several chains before partially unfreezing Ethereum markets by April 21. Other affected protocols including SparkLend, Fluid, Upshift, Compound, Euler, and Lido similarly paused rsETH-exposed markets.

The attacker deposited 89,567 rsETH worth approximately $221 million as collateral on Aave V3 across Ethereum and Arbitrum, borrowing roughly 82,650 WETH valued at $190.9 million plus 821 wstETH worth $2.3 million. Health factors on these positions hovered between 1.01 and 1.03, indicating extremely leveraged and risky collateralization. Additional smaller deposits were made on Compound V3 and Euler.

The broader market felt significant shockwaves. Approximately $13 billion in total value locked exited DeFi platforms within two days. WETH utilization rates hit 100% on key chains, and rsETH depegged on Layer 2 networks. April 2026's total hack losses reached approximately $606 million, making it one of the costliest months in DeFi history.

**Current Recovery Status**

As of April 26, several positive developments have emerged. The Arbitrum Security Council successfully froze 30,766 ETH worth approximately $71 million from an attacker address on April 21. These funds are now held in a governance-controlled wallet, with coordination ongoing between the council and law enforcement agencies.

DeFi protocols have pledged approximately 43,500 ETH toward restoring rsETH reserves. Aave DAO has proposed contributing 25,000 ETH worth roughly $58 million through a DeFi United fund, which now totals approximately $161 million. Kelp and LayerZero are coordinating recovery efforts, with Aave's Umbrella module holding around $54 million in aWETH being considered as a potential offset mechanism.

Aave's April 20 incident report outlined two primary scenarios for handling potential bad debt. The first involves uniform loss socialization across all rsETH supply, resulting in a 15.12% depeg and approximately $124 million in total bad debt. The second scenario targets L2-only haircuts of 73.54% on remote rsETH holdings, which would create roughly $230 million in bad debt with severe impacts on chains like Mantle facing 71% shortfalls.

LayerZero has deprecated the vulnerable 1-of-1 DVN configuration and replaced compromised RPC infrastructure. They have confirmed no other applications were affected by this specific vulnerability.

**Key Takeaways**

The rsETH exploit highlights critical risks in cross-chain bridge architectures, particularly those relying on single-point-of-failure verification mechanisms and centralized RPC infrastructure. The attack demonstrates how off-chain components can be compromised even when smart contracts themselves are secure.

Ethereum mainnet rsETH remains fully backed by Kelp's staking deposits. The core issue lies in the Layer 2 bridge adapter, where 40,373 rsETH backs 152,577 claims, creating a shortfall of approximately 112,000 rsETH.

Full recovery of the initial $292 million remains unlikely in the near term. Chainalysis and Certik continue tracking fund flows. Aave's treasury of approximately $181 million plus ongoing revenues provide a buffer against realized losses. Both Kelp and Aave governance proposals remain active as the community debates loss allocation mechanisms.

Moving forward, the industry faces pressure to implement multi-DVN quorums, invariant monitoring systems, and comprehensive off-chain infrastructure audits. While restaking TVL has been shaken, Ethereum mainnet staking remains intact. All stakeholders should monitor Aave and Kelp governance forums plus LayerZero post-mortem reports for evolving developments.