On April 18, 2026, at 17:35 UTC, an attacker drained 116,500 rsETH — restaked ether — from Kelp DAO’s LayerZero-powered cross-chain bridge. At the time, those tokens were worth approximately $292 million and represented around 18% of rsETH’s entire 630,000-token circulating supply. It was the largest single DeFi exploit of 2026, and it immediately reignited one of the industry’s most uncomfortable recurring conversations: crypto bridges remain the weakest link in the decentralised finance stack.
How the Attack Happened
Kelp DAO is a liquid restaking protocol built on EigenLayer. Users deposit Ether, receive rsETH in return, and can then move that rsETH across chains via LayerZero’s cross-chain messaging infrastructure. The attacker identified a flaw in how the bridge verified the authenticity and state of transactions crossing between chains.
According to analysis from Galaxy Research and CoinDesk, the exploit involved manipulating the bridge’s message validation logic — essentially convincing the LayerZero oracle that a large transfer was legitimate when it was not. This class of vulnerability, sometimes called an oracle manipulation attack on bridge infrastructure, has appeared in multiple prior exploits including the Ronin Bridge hack in 2022 and the Wormhole exploit before it.
Once the rsETH was extracted from the bridge, the attacker fragmented the stolen tokens across 20 different chains, making on-chain recovery and fund tracing significantly more difficult. The deliberate spreading across chains is a forensic evasion technique that exploits the same cross-chain interoperability that makes DeFi composable — and vulnerable.
Why Bridges Keep Getting Hacked
The fundamental problem with cross-chain bridges is that they require trust assumptions that pure on-chain protocols do not. When a user moves an asset from Ethereum to Arbitrum or from Ethereum to Solana, they are not simply executing a smart contract — they are relying on an off-chain system to verify the state of two different blockchains and confirm that a transfer is valid.
Those off-chain verification systems — whether run by a set of validators, a multisig, or an oracle network like LayerZero — introduce the kind of attack surface that doesn’t exist in a single-chain DeFi protocol. A lending protocol on Ethereum that gets exploited typically has a single failure point. A bridge that spans 20 chains has 20 failure points, plus the failure points of the bridging infrastructure itself.
“The $292 million exploit tied to KelpDAO is the latest in a long line of crypto bridge hacks, underscoring how the systems designed to connect blockchains have become some of the easiest ways to break them,” CoinDesk noted in its post-mortem coverage.
Ledger’s security chief Guillemet was more blunt: “Trust in DeFi eroded as 2026 will most likely be the worst year in hacks.”
The Aftermath: Aave and Court Action
The Kelp DAO exploit triggered a secondary crisis at Aave, the largest DeFi lending protocol. Because rsETH was used as collateral in Aave lending positions, the exploit — and the subsequent depeg in rsETH’s price — led to a court-ordered freeze of $71 million in Aave-linked assets tied to the incident. Aave’s governance is fighting the freeze in court, in a case that pits traditional legal remedies against the on-chain immutability arguments that DeFi proponents have long used as a selling point.
The court action is itself significant. It suggests that traditional legal systems are increasingly willing to intervene in DeFi disputes — an uncomfortable development for a sector that has historically positioned itself as existing beyond the reach of any single jurisdiction.
Justin Sun, whose Tron-linked World Liberty Financial holds positions affected by the fallout, filed a separate lawsuit related to the incident. The involvement of multiple legal systems across multiple jurisdictions adds a layer of regulatory complexity to what was already the year’s most damaging technical failure.
What DeFi Protocols Are Doing Differently Now
The Kelp DAO hack has accelerated several conversations that were already underway in DeFi security circles:
Multi-layer validation: Protocols are exploring bridge architectures that require agreement from multiple independent oracle networks before a cross-chain transfer is confirmed — trading speed for security.
Insurance and coverage: On-chain insurance protocols like Nexus Mutual have seen renewed interest post-exploit. The challenge remains that coverage capacity lags far behind the actual value locked in vulnerable bridge infrastructure.
Slow-path exits: Some protocols are implementing time-delayed withdrawal mechanisms on bridge exits, giving security teams a window to flag suspicious transactions before they finalise.
Audits and formal verification: The exploit has renewed calls for independent audits of bridge smart contracts, with some governance forums passing emergency proposals to fund third-party reviews.
The Broader Implication for DeFi
The Kelp DAO exploit is not primarily a story about one protocol’s failure. It is a stress test of the multi-chain thesis — the idea that DeFi’s future lies in seamless asset movement across dozens of parallel blockchains, each specialised for different use cases.
That thesis is sound in principle. In practice, every bridge that connects those chains is a potential nine-figure loss event waiting for the right attacker with the right amount of patience. Until the industry solves the bridge security problem at a fundamental level — which likely requires new cryptographic primitives or fundamentally different cross-chain communication designs — the exploits will continue.
The question is not whether another bridge hack is coming. The question is how much the next one will cost.
FAQ
Q: What is Kelp DAO and what does it do?
A: Kelp DAO is a liquid restaking protocol built on top of EigenLayer. It allows users to deposit Ether and receive rsETH — a liquid restaking token that can be used as collateral in DeFi protocols or bridged across chains. At the time of the exploit, Kelp DAO held over $1.6 billion in total value locked.
Q: How did the attacker move $292 million without being traced?
A: After extracting rsETH from Kelp DAO’s LayerZero bridge, the attacker spread the funds across 20 different blockchain networks, making comprehensive tracing extremely difficult. Chain analysis firms have tracked portions of the movement, but recovery remains unlikely without voluntary cooperation.
Q: What is LayerZero and is it safe to use?
A: LayerZero is a cross-chain messaging protocol that powers bridges and cross-chain dApps. The Kelp DAO exploit targeted the bridge built using LayerZero’s infrastructure, not LayerZero’s core protocol itself. However, any bridge using oracle-based message validation carries inherent risk that users should account for when evaluating cross-chain DeFi positions.
Sources: CoinDesk, Galaxy Research, DEXTools, Ledger
