Kelp DAO was attacked on April 18, 2026. The hacker, by compromising a single LayerZero validator node, minted 116,500 rsETH tokens not backed by actual assets. This incident has triggered over $6 billion in losses across the DeFi industry in recent weeks, with cumulative losses across various protocols nearing $10 billion. On-chain data shows that capital is accelerating its withdrawal from restaking, lending, and cross-chain bridge protocols, with the total value locked (TVL) in DeFi falling to its lowest point in 12 months.
The core issue of this incident is whether a single misconfigured validator node has exposed the systemic fragility of the entire cross-chain DeFi infrastructure. Kelp DAO's rsETH cross-chain bridge relies on a decentralized validator network node to verify LayerZero messages. This "1-of-1" single-point configuration had previously been flagged by security firm Halborn. The attacker (identified by LayerZero as the TraderTraitor group of the North Korean Lazarus Group) compromised two RPC nodes providing data to this validator and launched DDoS attacks on backup nodes to force a failover, ultimately injecting fraudulent messages to mint a massive amount of rsETH.
Losses spread rapidly. The minted 116,500 rsETH created bad debt in lending markets that accepted the token as collateral, which Halborn described as an "echo chamber" for the forged messages. Analysis points out that the problem lies not with the tool itself but with how it was configured. This means the attack did not exploit a zero-day vulnerability but rather a misconfiguration for which warnings already existed. The single-point-of-failure validator architecture has become a clear attack surface.
TVL data reveals the severity of the capital flight. Under macro pressures, the total DeFi TVL had been contracting throughout Q1 2026, and the Kelp DAO incident accelerated this trend, causing a vertical drop. Data shows that within 48 hours of the attack on April 18, TVL outflows reached $13 billion. Among them, Aave's TVL plummeted from $26.4 billion to approximately $18 billion as it froze the rsETH market, prompting users to withdraw funds en masse to avoid potential bad debt risks. Aave's risk team is currently simulating two bad debt scenarios based on the recovery rate of the unsecured rsETH used as collateral.