Kelp DAO $292M Hack: Postmortem of the Largest DeFi Exploit of 2026

April 19, 2026

At 17:35 UTC on April 18, 2026, an attacker submitted a crafted cross-chain message to Kelp DAO's LayerZero bridge. The bridge accepted it. 116,500 rsETH — about $292 million, roughly 18% of the token's entire circulating supply — was minted to an attacker-controlled wallet that had been funded through Tornado Cash ten hours earlier. No ETH ever changed hands on the source chain. rsETH was created out of thin air.

Kelp's emergency pauser multisig froze the core contracts 46 minutes later, at 18:21 UTC. By then the attacker had already deposited the stolen rsETH on Aave V3 as e-mode collateral and borrowed WETH against it. When Kelp paused rsETH contracts in response, the borrowed-against collateral became effectively worthless, leaving Aave with $177-200M in bad debt. Aave's WETH pool hit 100% utilization. Depositors pulled $6.2 billion through the weekend. TVL dropped 24%. AAVE fell 17.7% on April 19.

This is the largest DeFi exploit of 2026 and the largest cross-chain bridge exploit since the $624M Ronin hack in March 2022. It's also a case study in how an economic cascade between two separately-rated protocols can produce losses larger than either protocol's individual exposure.

What failed

The LayerZero protocol itself was not compromised. This is the critical distinction. Kelp used LayerZero's Omnichain Fungible Token (OFT) standard to bridge rsETH across 20+ EVM chains, and that standard gives protocols substantial latitude in how they configure the Decentralized Verifier Network (DVN) and verifier set for their deployment. Kelp's specific DVN configuration contained a weakness that allowed an adversarial message to satisfy the verifier checks without the corresponding source-chain state existing. The bridge did what it was configured to do. It was configured wrong.

This is the same class of failure that produced the $190M Nomad Bridge drain in August 2022 and the $611M PolyNetwork hack in August 2021. The bridge contract admits a message as valid, the message triggers privileged state changes (mint, unlock, transfer), and the economic damage is done before anyone reads the logs. The specific bug varies; the category is stable.

What our rubric caught — and what it didn't

Our pre-hack scan had Kelp DAO at a C grade (rawScore 47). The top three risks we'd surfaced were:

1. Hardcoded stETH:ETH 1:1 oracle enabling arbitrage during depeg
2. KERNEL insurance death spiral (reflexive insurance token economics)
3. Four-layer derivative nesting cascading slashing losses

None of these triggered the April 18 drain. The bridge wasn't on our top-3. It was listed as a mechanism and mapped into the protocol's interaction set, but the bridge's specific DVN configuration wasn't scored as a top risk because Kelp's LayerZero usage was assumed to inherit LayerZero's security rather than introduce a new failure mode on top of it. That assumption was wrong, and it's the same assumption most LRT protocols make about the cross-chain messaging layer they sit on.

What the rubric did catch: Kelp's interaction severity was already elevated (13/20), its track record was clean but derivative-heavy (the 4-layer nesting was explicitly flagged as an unprecedented risk pattern), and the scenarios we published predicted cascade unwinds from derivative layers. The scenario architecture was right. The specific trigger was different from the ones we'd modeled.

Post-hack we've downgraded Kelp from C (47) to D (70). Track record maxed out to 15 (realized $292M exploit). Interaction severity moved to 18/20. Protocol vitality moved to 9 reflecting the crisis state. A new collapse scenario has been added as realized rather than hypothetical, documenting the bridge verification bypass.

The Aave cascade

Aave V3 is a separately-rated protocol. Pre-hack it held a B- (31) grade with a strong 5+ year history and no material bad debt events. Our scan noted the March 2026 CAPO oracle misfire ($27M in wrongful liquidations), the March governance departures (ACI and BGD Labs both exiting), and the e-mode correlation-break tail risk for LST collateral. None of those scenarios predicted that the upstream issuer of one of Aave's listed LRTs would have its minting authority compromised.

That's what happened. The attacker's posture — post stolen LRT, borrow real asset, exit before the upstream issuer pauses — is a new attack pattern at Aave's scale. Euler Finance's 2023 $197M exploit involved a similar pattern of depositing manipulated collateral, but the manipulation there was internal to Euler's donation logic. The April 2026 incident is the first time a DeFi lender this large has absorbed a credit event sourced entirely from an upstream LRT issuer's bridge compromise.

Aave's Umbrella backstop (the stkAAVE-based safety module) is expected to cover the $177-200M shortfall. Whether it will is the next open question. If Umbrella is insufficient, stkAAVE holders face slashing to cover the remainder — a first-time event for the protocol.

We've downgraded Aave V3 from B- (31) to C (49). Track record +10 (first major bad debt). Interaction severity +4 (new Critical interaction for LRT collateral cascade). The realized scenario has been added documenting the upstream-bridge-exploit attack path.

What changes going forward

Bridge configurations are a first-class risk dimension, not an inheritance from the underlying messaging protocol. We've been scoring cross-chain mechanisms as if the messaging layer's audit history fully covered the protocol's use of it. KelpDAO's hack shows that configuration choices — verifier sets, DVN selection, signature thresholds — introduce failure modes that are invisible to the messaging protocol's own security assumptions. Our rubric is adjusting to score bridge configurations independently of the bridge substrate.

LRT listings at major lenders are a systemic dependency, not a collateral listing. When Aave V3 accepts rsETH as e-mode collateral, Aave's credit risk is now partially a function of Kelp's bridge security. Any LRT listed at a major lending protocol creates symmetric exposure: an exploit at the issuer pulls through into the lender's balance sheet within a single block. Aave holds $4B+ in LRT collateral across its markets. This is the single largest unmodeled dependency in DeFi credit today.

Emergency response time is the binding constraint. Kelp's pauser multisig responded in 46 minutes, which is exceptionally fast for a DeFi emergency response. It still wasn't fast enough — the attacker had already posted collateral and drained Aave's WETH pool before the pause landed. Pauser response time needs to be measured against borrow-and-exit time at every lender that accepts the paused asset as collateral. For practical purposes, that means sub-block response, which no current DAO multisig structure achieves.

Open-source code is now read faster than humans can patch it. The separate Mythos piece we published today covers this in depth. AI-accelerated vulnerability discovery makes configuration-level flaws — the kind Kelp's bridge exhibited — trivially discoverable. The window between "mistake exists in production" and "someone finds it" is collapsing.

The broader picture

Two weeks ago someone asked us whether restaking was overrated as a tail risk. The answer from our data was already "yes, and specifically because of cross-layer interactions that no single protocol's audits cover." April 18 is what that thesis looks like when it realizes. EigenCloud, ether.fi, Renzo, and the other LRT issuers are running similar cross-chain infrastructure with similar configuration surfaces. Any of them could be next.

This isn't the end of DeFi restaking. It's the end of the assumption that "well-audited base protocol + well-audited bridge + well-audited lender = well-audited stack." The stack is not audited. Only the pieces are. What sits between them is unpriced.

If you hold rsETH, agETH, or any LRT as collateral anywhere: read the rated exposure on the screener and rotate accordingly. Our watchlist will alert on grade changes automatically.

All ratings use Hindenrank's eight-dimension risk rubric. Lower score = lower risk. See the Kelp DAO and Aave V3 pages for full risk breakdowns, or screen LRT exposure across the directory.