#Gate13周年现场直击

THE LARGEST DEFI EXPLOIT OF 2026 JUST HAPPENED AND THE FALLOUT IS STILL SPREADING.

On April 18, 2026, at 17:35 UTC, an attacker drained 116,500 rsETH tokens worth approximately $292 million from Kelp DAO's LayerZero-powered cross-chain bridge. The stolen amount represents roughly 18 percent of rsETH's entire circulating supply of 630,000 tokens, and the exploit has now been officially confirmed as the largest DeFi hack of 2026. This was not a random smash-and-grab. It was a precision infrastructure attack, months in the planning, executed in under 46 minutes.

How the attack worked:
Attackers pre-funded six wallets through Tornado Cash roughly 10 hours before the drain. They then compromised two of the RPC nodes that LayerZero's verifier relied on to confirm cross-chain transactions, replacing the node software with malicious versions that reported false transaction data to the verifier. A simultaneous DDoS attack forced a failover that brought the compromised nodes into the verification path. With the verifier deceived, Kelp's bridge released 116,500 rsETH to an attacker-controlled address.
Kelp's emergency multisig paused core contracts 46 minutes after the drain. Two follow-up attempts at 18:26 and 18:28 UTC, each targeting another 40,000 rsETH worth roughly $100 million, were blocked. The core restaking contracts were not touched. The exploit was isolated entirely to the bridge layer.

The root cause: a single point of failure
The attack only worked because Kelp operated a 1-of-1 verifier configuration, meaning LayerZero Labs was the sole entity verifying messages to and from the rsETH bridge. In a properly hardened multi-DVN setup, consensus across several independent verifiers is required to approve any cross-chain message. Compromising one node would not be enough to forge a valid instruction. LayerZero said its public integration checklist and direct communications to Kelp had recommended a multi-verifier setup with redundancy, but Kelp chose to maintain the 1-of-1 configuration.

Kelp is disputing this account. A source familiar with Kelp's position told CoinDesk that through a direct communications channel with LayerZero open since July 2024, no specific recommendation to change the rsETH DVN configuration was produced. LayerZero's own quickstart guide and default GitHub configuration point to a 1-of-1 DVN setup, and approximately 40 percent of protocols on LayerZero are currently using the same configuration. The public blame game between two major DeFi infrastructure providers is now its own story.

State-sponsored actor: lazarus group
LayerZero's incident statement reads: "Preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK's Lazarus Group, more specifically TraderTraitor." Lazarus Group has now been linked to both the Drift Protocol exploit on April 1 and the Kelp attack on April 18, meaning the same North Korean unit has drained more than $575 million from DeFi in 18 days through two structurally different attack vectors social engineering governance signers at Drift, and poisoning infrastructure RPCs at Kelp. LayerZero has contacted multiple law enforcement agencies globally and is collaborating with Seal911 to trace the stolen funds.

The contagion: aave, tvl, and bad debt
The attacker deposited the stolen rsETH onto Aave V3 as collateral and borrowed wrapped ether against it, leaving roughly $196 million in bad debt concentrated in the rsETH-WETH pair on Ethereum. Aave's incident report outlines two possible outcomes approximately $123 million in losses if damage is shared across all rsETH, or up to $230 million if confined to Layer 2 networks, with the final impact depending on how Kelp DAO allocates the shortfall.

Total value locked on Aave dropped to $17.5 billion, down $8.8 billion over two days. The wider DeFi sector also saw heavy outflows, with total value locked across all chains declining from over $99 billion to around $86 billion. SparkLend, Fluid, and Lido Finance paused their rsETH-related markets. Ethena shut down its own LayerZero OFT bridges from Ethereum mainnet as a precaution despite having no direct rsETH exposure.

rsETH is deployed across more than 20 networks including Arbitrum, Base, Linea, Blast, Mantle, and Scroll. With the bridge reserve drained, holders on every L2 deployment now face uncertainty about whether their wrapped rsETH tokens have full backing creating a redemption pressure loop that threatens to force Kelp to unwind EigenLayer restaking positions to honor withdrawals.

What this means for defi:
This exploit is not just a Kelp DAO story. It is a structural warning. Cross-chain bridges remain the most consistently exploited surface in DeFi, and this attack demonstrates that even battle-tested messaging infrastructure like LayerZero can be weaponized through configuration failures at the integration level. The Kelp exploit shows North Korea's Lazarus Group is evolving beyond isolated hacks, rapidly shifting tactics from social engineering to exploiting structural weaknesses in crypto infrastructure suggesting a sustained, state-driven campaign rather than one-off incidents. Multi-verifier architecture, redundant RPC setups, and independent security audits of bridge configurations are no longer best practices. After April 18, 2026, they are survival requirements.

#Gate13周年
#CreatorCarvinal
#KelpDAOBridgeHacked