KelpDAO LayerZero Bridge Exploit Results in $293 Million Loss and $10.59 Billion DeFi TVL Decline

This incident highlights vulnerabilities in cross-chain protocols, potentially shaking investor confidence in DeFi ecosystems.

• An attacker exploited a vulnerability in KelpDAO's LayerZero bridge, minting $293 million in unbacked rsETH tokens.
• Aave suspended rsETH markets on V3 and V4, leading to a $10.59 billion drop in total DeFi TVL.
• Investigations are ongoing as the DeFi community grapples with the implications of this exploit.

• KelpDAO is a liquid restaking protocol that allows users to stake ETH and liquid tokens into rsETH, facilitating liquidity across multiple chains.
• The exploit stemmed from a compromised Decentralized Verifier Network (DVN) in the LayerZero bridge, enabling uncollateralized minting of tokens.
• Recent DeFi incidents, including the $285 million Drift Protocol hack, have raised alarms about security in the sector, making this exploit particularly concerning.

On April 18, 2026, at approximately 17:35 UTC, an unknown attacker took advantage of a vulnerability in KelpDAO's LayerZero-powered cross-chain bridge. This exploit allowed the minting of 116,500 unbacked rsETH tokens, which represented about 18% of the total supply and was valued at approximately $293 million. The attacker then deposited these illicit tokens as collateral on Aave V3 and V4, enabling them to borrow between $236 million and $250 million in Wrapped Ether (WETH).

The laundering of the proceeds was executed through Tornado Cash, a privacy tool that obscures transaction trails. This sequence of events triggered a significant market reaction, with Aave promptly freezing rsETH markets on both V3 and V4 to mitigate further exposure to the exploit.

By April 19, the total value locked (TVL) in DeFi dropped by $10.59 billion, a decline of 10.64%, according to DefiLlama. Aave's TVL alone contracted by 22%, amounting to a $6 billion decrease. KelpDAO's TVL on Arbitrum fell to zero, while its Ethereum TVL stabilized at $1.52 billion. The exploit not only exposed vulnerabilities in KelpDAO's infrastructure but also raised questions about the security of cross-chain bridges in general.

The aftermath saw Aave's token depreciate by 12-16%, and up to $200 million in bad debt accrued in Aave's WETH pool. This prompted withdrawal advisories ahead of potential slashing measures. The community has since engaged in discussions about the risks associated with restaking and cross-chain operations, emphasizing the need for enhanced security measures.

• DeFi investors: Those holding rsETH or using Aave may face immediate financial losses and liquidity issues.
• Developers: Teams working on cross-chain protocols may need to reassess security measures and protocols to regain user trust.
• Regulatory bodies: Increased scrutiny on DeFi protocols could lead to more stringent regulations, affecting operational frameworks.

• Investigations outcomes: The results of ongoing investigations into the exploit will determine accountability and potential recovery of lost funds.
• Market reactions: Watch for further declines in DeFi TVL and Aave's performance as the community assesses the fallout.
• Security enhancements: Look for announcements regarding improved security measures in cross-chain protocols to restore confidence among users.