#KelpDAOBridgeHacked Kelp DAO Bridge Hacked: $292 Million Exploit Shakes DeFi to Its Core

A catastrophic failure in cross-chain security has led to the largest DeFi hack of 2026, sparking a bitter blame game between Kelp DAO and LayerZero while threatening to cripple major lending protocols like Aave.

In what has quickly become the most devastating decentralized finance (DeFi) exploit of the year, Kelp DAO suffered a $292 million loss over the weekend. The attack targeted the protocol's LayerZero-powered cross-chain bridge, resulting in the theft of 116,500 rsETH tokens .

The incident, which occurred on April 18, has not only drained a significant chunk of Kelp's liquidity but has also triggered a cascading crisis across the ecosystem, pulling in lending giant Aave and sparking a heated dispute over who is ultimately responsible for the security failure .

The Attack Vector: How Hackers Bypassed Security

The attacker funded their wallet via Tornado Cash approximately 10 hours before the exploit, a classic obfuscation technique used by sophisticated hacking groups . Preliminary investigations, including those by blockchain sleuth ZachXBT, point toward the North Korean Lazarus Group as the likely perpetrator .

The mechanism of the attack was highly technical. According to reports, hackers compromised a list of RPC nodes used by LayerZero Labs' Decentralized Verified Network (DVN). By poisoning two nodes and launching a DDoS attack on the rest, the attackers forced the network to accept a fraudulent cross-chain message .

This fake message tricked Kelp DAO’s bridge contract into "releasing" 116,500 rsETH on the Ethereum mainnet that should have remained locked.

The Blame Game: Kelp DAO vs. LayerZero

In the aftermath, a public dispute has erupted between Kelp DAO and LayerZero regarding the root cause of the vulnerability.

· LayerZero’s Stance: The messaging protocol has squarely blamed Kelp DAO for using a "1-of-1 DVN" (Decentralized Verifier Network) configuration. They argue this setup created a catastrophic single point of failure, as there was no independent second validator to flag the malicious transaction. LayerZero claims it communicated best practices regarding diversification, but Kelp chose not to adopt them .
· Kelp DAO’s Defense: In a firm rebuttal, Kelp DAO rejected these claims, stating that the 1-of-1 DVN model was the default configuration outlined in LayerZero’s own documentation for new OFT (Omnichain Fungible Token) deployments. Kelp maintains it operated on this infrastructure since January 2024 and that the setup was previously confirmed as appropriate by LayerZero representatives .

Contagion Spreads: Aave Faces $230M Hole

The most severe fallout from the hack is the systemic risk posed to Aave, the leading DeFi lending protocol.

Instead of selling the stolen rsETH, the attacker deposited 89,567 of the tokens into Aave as collateral and borrowed approximately $190 million in WETH and wstETH . This has left Aave holding collateral whose value is fundamentally compromised.

According to an incident report by Aave Labs, the potential losses for Aave vary wildly depending on how Kelp DAO decides to allocate the shortfall:

1. Shared Loss ($124 million): If losses are spread across all rsETH holders (a 15% de-pegging event).
2. Layer 2 Isolation ($230 million): If losses are isolated solely to Layer 2 networks, leaving Aave’s mainnet holdings partially unbacked .

In response, Aave has frozen rsETH markets across V3 and V4, setting Loan-to-Value ratios to zero to prevent further borrowing. The Aave token (AAVE) dropped 10% following the news, and over $10 billion in Total Value Locked (TVL) fled the protocol as users rushed to withdraw funds .

Emergency Brakes: Arbitrum Freezes $71 Million

In a rare display of rapid governance intervention, the Arbitrum Security Council stepped in to freeze 30,766 ETH—valued at approximately $71.1 million—connected to the exploit on the Arbitrum One network .

The funds have been moved to an intermediary frozen wallet. Arbitrum stated that these assets will remain immobile pending a formal governance decision, which could result in refunding users . The council noted that it acted with input from law enforcement regarding the exploiter's identity .

What Happens Next?

As of now, the situation remains fluid but dire. Kelp DAO has paused its rsETH contracts across mainnet and multiple Layer-2 networks . The core issue facing resolution efforts is that Kelp DAO likely does not have the treasury size to cover the $292 million loss unilaterally .

Industry observers suggest that LayerZero may be forced to step in to save its OFT ecosystem reputation, or that Aave may need to utilize its DAO treasury ($181 million) to cover bad debt. However, both parties currently deny direct liability .