On April 18, 2026, KelpDAO’s liquid restaking protocol suffered the largest DeFi exploit of the year after attackers drained approximately 116,500 rsETH, valued at $292 million, from its LayerZero-powered bridge. LayerZero Labs attributed the attack to North Korea’s Lazarus Group subgroup “TraderTraitor” and identified KelpDAO’s single-verifier bridge configuration as the root cause, enabling compromised RPC nodes to forge valid cross-chain messages.
The attacker pre-funded wallets through Tornado Cash roughly ten hours prior to execution, then exploited the verifier setup to trigger unauthorized fund releases. LayerZero’s investigation revealed that two of three nodes in its decentralized verifier network (DVN) had been poisoned, causing failover to compromised nodes. A properly hardened multi-verifier configuration would have required consensus across independent DVNs, preventing the exploit. LayerZero has since refused to sign messages for 1-of-1 DVN setups going forward.
Following the hack, the stolen rsETH was deposited as collateral on Aave V3, generating over $236 million in bad debt concentrated in the rsETH-WETH pair. Aave’s Umbrella reserve was activated to cover deficits, and market freezes were imposed across lending platforms including SparkLend, Fluid, Lido Finance, and Ethena. Aave’s TVL fell by $6.6 billion, from $26.4 billion to near $20 billion, underscoring the systemic impact of interoperability exploits.
Tron founder Justin Sun, exposed to Aave positions, withdrew roughly 65,584 ETH ($154 million) to mitigate personal losses before taking to X to directly appeal to the hacker for negotiations. Sun warned that continued non-cooperation could sink both KelpDAO and Aave, calling for a return of stolen funds to preserve DeFi stability. Industry leaders emphasized stronger bridge security standards and the adoption of redundant configurations to guard against state-level threat actors.
The incident has reignited calls for rigorous integration audits, real-time monitoring, and decentralized validation frameworks to secure cross-chain infrastructure. With total hack losses for April now exceeding $606 million, protocol teams and security firms are racing to implement defensive measures ahead of further high-profile exploits.
Comments (0)