BroadChain has learned that at 12:16 on April 23, in the early morning of April 19, Kelp DAO's rsETH cross-chain bridge based on LayerZero was attacked. Approximately 116,500 rsETH flowed out from the mainnet without corresponding burn records, resulting in a loss of approximately $292 million. Within one hour of the attack, Kelp urgently paused the contract. However, the attacker subsequently attempted two additional attacks. If the contract had not been paused, the potential total loss could have reached $391 million.
This is already the highest single-incident loss record in the DeFi sector in 2026. The core of the attack lies in a single point of failure in the verification mechanism. Kelp adopted the weakest security configuration allowed by LayerZero—1/1 DVN, meaning only a single validator signature is required to pass cross-chain messages. Security experts point out that this is essentially an architectural flaw that cannot be fixed through audits.
As early as January 2025, developers had reminded Kelp on the Aave governance forum that it should expand to a multi-validator configuration, but this suggestion was not adopted within 15 months. LayerZero subsequently announced it would stop approving messages for applications still using a single validator. The technical breach quickly triggered systemic contagion.
The attacker deposited the stolen rsETH into multiple lending platforms such as Aave and Compound, borrowing over $236 million in real assets. Aave immediately froze the related markets, leading to a sudden tightening of liquidity and triggering a withdrawal wave exceeding $10 billion. At least nine protocols, including Fluid, Upshift, and Lido Earn, subsequently activated emergency responses.
This exposed the risk that when LRTs (Liquid Restaking Tokens) are used as collateral in multi-layered compositions, the depletion of underlying reserves can cause the entire chain of trust to become unbalanced simultaneously. The attribution of this attack is controversial. LayerZero attributed it to the North Korean hacker group Lazarus Group, but security firm Cyvers stated that it has not yet confirmed clustering of the related wallets.
The malicious node software used by the attacker automatically cleared traces afterward, increasing the difficulty of forensics. This reflects a lack of systematic collaboration within the DeFi industry regarding attack attribution and intelligence sharing. The consecutive occurrence of massive attack incidents indicates that DeFi's existing security management framework is facing severe challenges.
Security evolution requires the joint participation of protocol designers, infrastructure layers, lending platforms, and other parties to recalibrate risk assumptions and establish more systematic information sharing and mandatory risk control mechanisms.