The biggest DeFi exploit of 2026 happened on Saturday. By Monday, the wreckage had spread far beyond Kelp DAO – and Ethereum’s largest lending protocol is now staring down a potential nine-figure loss.
How a Single Bridge Exploit Became a $13 Billion Problem
When attackers drained 116,500 rsETH tokens (roughly $292 million) from Kelp DAO’s cross-chain bridge on April 18, the initial reaction focused on Kelp itself. That shifted fast.
The attacker didn’t simply cash out. Instead, they deposited 89,567 rsETH into Aave as collateral and borrowed approximately $190 million in ETH and related assets across Ethereum and Arbitrum. This created what lending platforms fear most: loans backed by collateral that may no longer be worth what the books say it’s.
Within 48 hours, Aave lost $8.45 billion in deposits as users rushed for the exits. Total DeFi TVL dropped from $99.5 billion to $86.3 billion – a $13.21 billion decline that rippled across Euler, Sentora, and every major lending and restaking protocol.
Two Paths, Neither Good
Aave Labs and risk assessor LlamaRisk published a governance report outlining two scenarios for the protocol.
Scenario 1: Losses are socialized across all rsETH holders. The token takes roughly a 15% haircut, and Aave absorbs about $123.7 million in bad debt. Ethereum Core takes the largest hit at $91.8 million.
Scenario 2: Losses stay confined to Layer 2 networks. Bad debt jumps to $230.1 million, concentrated on Mantle ($77.7 million shortfall), Arbitrum ($88.4 million), and Base. In this case, remote-chain rsETH gets repriced to its 26.46% backing ratio – a 73.54% haircut.
Aave’s DAO treasury holds around $181 million. If the worse scenario plays out, the protocol doesn’t have enough in the war chest to cover it.
Lazarus Group Strikes Again
LayerZero, whose messaging infrastructure Kelp used for cross-chain transfers, attributed the attack to North Korea’s Lazarus Group. Combined with the Drift Protocol exploit on April 1, that puts the same state-sponsored hacking unit at $575 million drained from DeFi in just 18 days.
The attack didn’t break any cryptography. Kelp’s bridge used a single-verifier configuration for LayerZero messages – a setup that LayerZero says it explicitly warned against. One forged verification was enough to create 116,500 rsETH out of thin air on Ethereum.
“The contracts weren’t broken,” one analysis on X noted. “One signature and 116,500 rsETH materialized out of thin air on Ethereum.”
LayerZero placed the blame squarely on Kelp’s configuration choices. Kelp fired back, claiming LayerZero’s “default settings” were the root cause. The finger-pointing continues while billions remain at risk.
The Liquidity Freeze Nobody Expected
The downstream effects caught many users off guard. Stablecoin markets on Aave hit 100% utilization as depositors tried to withdraw simultaneously. Borrowing surged by $300 million in a single day as USDT collateral holders scrambled for liquidity.
“Because users can’t withdraw due to 100% utilization, there has been a ~$300 million increase in borrowing with USDT collateral in just the past day since the rsETH exploit,” said monetsupply.eth, head of strategy at Spark, a competing DeFi lending platform.
Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin all paused bridge-related activity. The contagion spread precisely because DeFi protocols are deeply interconnected – a design feature that also becomes a liability when trust in one asset breaks down.
What Comes Next for Ethereum DeFi
The timing is particularly rough. Just a week before the exploit, the Ethereum Foundation launched a $1 million security audit subsidy through its Trillion Dollar Security Initiative, offering to cover up to 30% of audit costs for Ethereum projects through a partnership with Areta and over 20 audit firms.
Spot Ethereum ETFs had logged seven straight days of inflows before the incident, pulling in $127.4 million on the most recent day alone. Fidelity led the charge, securing the majority of new institutional capital flowing into ETH.
The institutional momentum and the security gap now sit in sharp contrast. DeFi just showed the world that a misconfigured bridge verification – not a novel zero-day, not broken cryptography, just a default setting nobody changed – can cascade into a sector-wide crisis affecting billions.
Aave’s Umbrella security model, launched in June 2025 specifically to handle protocol bad debt, is getting its first real stress test. Whether it holds will shape how institutional money views DeFi risk management for the rest of 2026.
FAQ
Could this happen to other DeFi lending protocols?
Any protocol that accepts cross-chain bridged tokens as collateral faces similar risks. The exploit didn’t target Aave’s code – it targeted the assumptions baked into how collateral gets valued. Protocols relying on bridge-issued tokens without independent verification are exposed to the same attack pattern.
Will Aave depositors lose money?
It depends on how Kelp allocates the shortfall and whether Aave’s $181 million DAO treasury can cover the gap. Under the better scenario, bad debt sits at $124 million – manageable. Under the worse scenario, losses reach $230 million. Aave governance discussions are ongoing, and the protocol hasn’t ruled out recovery efforts or external support.
Is the Lazarus Group targeting DeFi specifically?
Evidence points strongly in that direction. Two attacks totaling $575 million in 18 days, using completely different attack vectors (social engineering for Drift, bridge exploitation for Kelp), suggests a coordinated campaign rather than isolated incidents. North Korea’s TraderTraitor unit has historically targeted crypto infrastructure to fund the regime.
