#KelpDAOBridgeHacked ✨The decentralized finance system (DeFi) underwent its biggest stress test this year with the Kelp DAO bridge attack on Saturday, April 18, 2026, at 17:35 UTC. The Kelp DAO-supported Zero Layer bridge was tricked with a false verification message, and 116,500 rsETH—approximately $292 million—were withdrawn in a single transaction chain. This amount represents about 18% of the total rsETH supply of 630,000, and the event occurred within 46 minutes. The Kelp team halted the contracts using an emergency multi-signature at 18:21 UTC, but by then a large portion of the funds had already been transferred to ETH through addresses linked to Tornado Cash.

🧐Attack technique
LayerZero’s message layer checked the spoofed transfer instructions that appeared to come from another chain. This triggered the lzReceive function on the bridge, allowing an unauthorized minting process.
The attacker used a single verification loophole to mint 116,500 rsETH to their own wallet, then attempted to steal another 40,000 rsETH in two additional attempts; both attempts were thwarted thanks to Kelp’s emergency stop.
🧐Funds flow and leverage exploitation
Approximately $250 million of the stolen rsETH was quickly converted into ETH. Chain data shows the attacker borrowed 106,467 ETH (about $250 million).
The funds were used as collateral in Aave V3/V4, Compound V3, and Euler, resulting in the creation of a bad debt position exceeding $236 million.
🧐Affected assets and chains
The empty bridge supported wrapped rsETH reserves across more than 20 chains, including Base, Arbitrum, Linea, Blast, and Scroll. Now, rsETH exposure on Layer 2 networks faces collateral shortfalls.
Kelp halted contracts on the mainnet and Layer 2; it was mentioned that user funds were not stolen directly, but purchase operations were suspended again due to the lack of reserves.
🧐Market reaction
Aave froze rsETH markets in both V3 and V4 for hours. SparkLend and Fluid took the same step. Lido Finance also paused new deposits into its earnETH product. Ethena temporarily closed LayerZero OFT bridges for 6 hours as a precautionary measure.
The AAVE token lost about 10% of its value after the news. Outflows of rsETH increased relative to total value locked (TVL), further boosting the “flight to safety” trend in DeFi.
🧐Regulatory context
This became the biggest DeFi hack of 2026, surpassing the Drift protocol attack on April 1 (around $285 million). Losses from hacks and scams in the first quarter of 2026 had already reached $482 million.
On social media, the event strengthened the narrative that “re-staking + bridging = the weakest link.” Spanish and Portuguese communities highlighted Bitcoin stability during the same period as a counterexample to DeFi fragility.
🤔Conclusion and outlook
The KelpDAO attack once again proved that growth is outpacing security. In the short term:
rsETH liquidity will continue to contract, increasing the risk of discounted wrapped versions on Layer 2 networks.
Aave and other lending protocols will be forced to allocate reserves or disclose plans to compensate for bad debts.
Auditing firms and LayerZero will issue urgent updates to their message verification logic.
In the long term, the industry will impose standards such as multi-signature verification, real-time anomaly monitoring, and insurance funds for cross-chain bridges. The three biggest breaches exceeding $590 million within 18 days in 2026 indicate that institutional capital may shift to more regulated areas such as ETF البيتكوين until the security infrastructure matures.
The lesson for investors is clear: it’s not just the return that matters, but where and how the collateral is verified—which will be crucial. The Kelp DAO bridge attack entered history as the most tangible example of the “high utilization = high risk” equation in DeFi.
#Gate13thAnniversaryLive
#CryptoCommunity
#CreatorCarnival
#GateSquare