#rsETH攻击事件后续进展 Kelp DAO’s rsETH cross-chain bridge theft is the largest DeFi security incident to date in 2026, causing approximately $292 million in asset losses.

The attack occurred at around 17:35 UTC on April 18, 2026. The hacker exploited a configuration vulnerability in Kelp DAO’s LayerZero-based cross-chain bridge (using a 1/1 decentralized verification node DVN setup). By forging cross-chain messages, they minted about 116.5k rsETH tokens on the Ethereum mainnet out of thin air, without any real-asset backing.

These “air assets” were quickly deposited into major lending protocols such as Aave, Compound, and Euler as collateral, allowing borrowing of approximately $236 million in real WETH/ETH. Of this, Aave faces a potential bad-debt risk of as much as $177 million to $196 million.

About 46 minutes after the incident, Kelp DAO urgently paused the rsETH contracts on the mainnet and multiple Layer2 networks, preventing further attack attempts. But market panic spread rapidly: Aave’s TVL plunged from $264 million to $180 million within 24 hours, a decline of 32%, and the price of the AAVE token also fell by about 18%.

The incident exposed a systemic risk in the DeFi ecosystem involving “cross-chain bridges + re-staking derivatives.” A security gap in one link can propagate through composability to multiple protocols, creating a chain reaction. Although LayerZero recommends using at least a 2-of-3 DVN configuration, Kelp DAO still chose the extremely high-risk 1-of-1 single-point validation mode, which drew criticism as “protecting a bank vault with a single padlock.”

Currently, Kelp DAO and LayerZero are disputing responsibility, while the hacker still holds ETH worth about $175 million on the Ethereum chain. $BTC