KelpDAO faces smart contract vulnerability attack

KelpDAO was hit by a major cyberattack on April 19, leading to the unauthorized creation of 116,500 rsETH tokens and an estimated loss of about 293 million U.S. dollars. On-chain analysis from Ember shows the attacker later consolidated roughly 106,466 ETH — worth around 250 million dollars — through collateralized borrowing and direct sales.

How the exploit worked

According to technical reviews, the breach was rooted in KelpDAO’s LayerZero-powered cross-chain bridge, which is meant to move assets between different blockchains.

The attacker:

• sent a fraudulent message through the bridge to KelpDAO’s system
• tricked the protocol into minting 116,500 rsETH with no real deposits behind it
• used most of this unbacked rsETH as collateral on lending platforms, primarily Aave, to borrow large amounts of genuine ETH
• sold a smaller portion of rsETH directly for immediate liquidity

Because other protocols treated the newly minted rsETH as valid, the attacker was able to convert “phantom” assets into real ETH, leaving lending markets exposed.

Scale of damage and bad debt

The fabricated rsETH underpins the estimated 292–293 million dollar loss, as the tokens had no underlying reserves.

On Aave in particular, rsETH was used as collateral to borrow ETH, creating an estimated 177–200 million dollars in bad debt — loans backed by now-worthless collateral.

The amount of exploited rsETH represented about 18% of the token’s circulating supply, making this the largest single DeFi exploit reported so far in 2026.

Emergency response by KelpDAO and Aave

KelpDAO’s team triggered emergency protections within 46 minutes of detecting the breach. The protocol:

• paused core contracts, including rsETH, across multiple networks
• blocked two further attempts by the attacker to drain an additional 40,000 rsETH, which could have added roughly 100 million dollars to total losses

Aave reported that its own core smart contracts were not directly compromised but:

• froze rsETH markets on both its V3 and V4 deployments
• moved to contain the fallout from rsETH being used as invalid collateral

One prominent Aave governance delegate posted on X: “If you have WETH on Aave V3 Core, withdraw now, ask questions later,” highlighting perceived risk around the main Ether lending pool.

Market reaction

The market response was swift:

• Aave’s governance token price fell by more than 10%, trading around 105.73 dollars within hours of the news
• Ether dropped roughly 3% during the same window

The sharp moves underscored broader concern about DeFi lending exposure and cross-chain infrastructure risk.

Ongoing risks to lending pools and rsETH holders

The core concern now centers on the unbacked rsETH that still collateralizes active loans:

• lending pools exposed to rsETH face shortfalls if the collateral is written down to zero
• wrapped versions of rsETH on secondary networks are under pressure, as the main-chain reserves that were meant to back them have been drained
• there is risk of cascading liquidations and further price dislocations if confidence in rsETH and related pools deteriorates further

Participants using rsETH as collateral may be forced to add alternative collateral or repay loans to avoid forced liquidations. Those holding wrapped rsETH derivatives face uncertainty over how and when value can be restored.

DeFi security context and repeat patterns

The KelpDAO incident adds to a series of high-profile decentralized finance exploits, including attacks on Curve and Euler in 2023 and earlier breaches such as Opyn in 2020. Security firms note recurring themes:

• shared dependencies and rapid protocol integrations extend the blast radius of single vulnerabilities
• complex contract interactions and cross-chain bridges remain difficult to test comprehensively
• common exploit types persist, including reentrancy attacks, flash loan abuse, and callback validation failures

In KelpDAO’s case, the breach followed a period of rapid platform growth and promotional campaigns aimed at boosting total value locked, a pattern that security analysts say can compress testing and review cycles.

Implications for cross-chain bridges and DeFi infrastructure

Because the root cause was in a LayerZero-powered cross-chain bridge, attention is turning again to bridge infrastructure as a systemic weak point in DeFi. Assets that depend heavily on similar cross-chain messaging or bridging systems may face renewed scrutiny over:

• message validation and authentication
• minting and redemption logic
• emergency controls and monitoring around large or unusual transfers

Analysts argue that from Opyn’s early exploits to the latest KelpDAO breach, the underlying issue remains the reliability of smart contract and bridge infrastructure. Each large-scale loss is reinforcing calls for:

• deeper pre-deployment audits and formal verification of critical contracts
• continuous on-chain monitoring and anomaly detection
• stronger testing frameworks, especially for complex cross-chain integrations

What traders are watching next

Traders and protocol users are closely tracking:

• official updates from KelpDAO and LayerZero on the investigation and any attempts at fund recovery
• Aave governance discussions on how to handle rsETH-related bad debt and potential recapitalization measures
• stability of rsETH and its wrapped versions across different networks
• any spillover into other lending markets or bridge-dependent assets

With one delegate already urging immediate WETH withdrawals from Aave V3’s core pool, perceived risk levels remain elevated as the DeFi sector assesses the full impact of the KelpDAO exploit.