The attacker didn't just steal $292M from KelpDAO. They wrapped it into fake collateral, posted it in Aave, and walked away, leaving legitimate lenders unable to withdraw as the entire protocol cascaded into panic.
On 19 April 2026, a single forged message crossed a cross-chain bridge. It was a LayerZero packet, the standard message format DeFi protocols use to communicate across blockchain networks. The message said: a deposit has been made, please mint the corresponding tokens. No deposit had been made. The tokens were minted anyway. What followed was one of the most technically sophisticated cascading exploits in DeFi history.
The theft itself was $292M. The second-order effect, legitimate Aave users unable to withdraw as rsETH collateral values collapsed, triggered a $13 billion bank run on one of DeFi's most trusted lending protocols. This is what DeFi composability risk looks like at scale.
KelpDAO is a liquid restaking protocol built on EigenLayer. When users deposit ETH or liquid staking tokens, KelpDAO issues rsETH, a receipt token representing the restaked position, deployable as collateral across DeFi. By April 2026, KelpDAO had approximately $1.6 billion in total value locked across 20 blockchain networks.
The attack targeted the LayerZero-powered bridge infrastructure underlying rsETH's cross-chain deployment. By manipulating the verifier infrastructure, the attacker forged a deposit message, causing the bridge to mint 116,500 unbacked rsETH tokens with no corresponding collateral. Those tokens were immediately deposited into Aave, Compound, and Euler to borrow approximately $230M in legitimate WETH and wstETH. The borrower walked away with real ETH. The protocols held rsETH positions backed by nothing.
The KelpDAO exploit is the clearest demonstration of DeFi composability risk in the 2026 ecosystem. rsETH was integrated as collateral in Aave, Compound, and Euler, three of DeFi's most widely used lending platforms. A single forged bridge message propagated financial damage across the entire ecosystem, affecting users who had never interacted with KelpDAO directly.
"Every DeFi protocol that accepts third-party tokens as collateral inherits the bridge security risk of every chain those tokens cross. The composability that makes DeFi powerful makes it catastrophically fragile."
Praveen Giri, Founder · QuantChainAnalysis| Protocol | Direct Impact | Status (May 2026) |
|---|---|---|
| KelpDAO | $292M rsETH minted unbacked; TVL collapsed from $1.6B | Bridge patched; Lazarus attribution confirmed |
| Aave v3 | rsETH collateral undercollateralised; $13B withdrawal pressure | rsETH markets frozen; normal operations resumed after 5 days |
| Compound / Euler | rsETH borrowing positions at risk | Emergency governance paused rsETH markets |
| Legitimate rsETH holders | Token price down 60%+ during crisis | Partial recovery as bridge patched and reserves audited |
The attack sequence began with a single anomalous minting transaction: 116,500 rsETH with no corresponding verified deposit event on the source chain. This pattern, minting without a verified deposit, is a zero-precedent anomaly in KelpDAO's transaction history. The mempool window was approximately 19 seconds.