LayerZero said on April 19 it is working with KelpDAO to contain and analyze a critical vulnerability tied to KelpDAO’s rsETH token, stressing that the issue does not impact other applications using its infrastructure.
The company said it has been monitoring the incident continuously since discovery and is cooperating with the Security Alliance to identify the root cause. A full post-incident report will be released once the investigation is complete.
Flaw isolated to KelpDAO rsETH implementation
LayerZero emphasized that the vulnerability sits in the application layer of KelpDAO’s liquid restaking token rsETH, rather than in the LayerZero protocol itself. The clarification is aimed at separating a product-specific failure from any structural weakness in LayerZero’s core messaging and interoperability stack.
The rsETH token is built on EigenLayer’s restaking framework, where multiple protocol risks accumulate on top of each other. The exploit surfaced after rsETH was deployed across chains using LayerZero’s infrastructure, creating a multi-layer security setup with several possible points of failure.
How the exploit unfolded
On April 18, an attacker exploited a flaw in KelpDAO’s cross-chain bridge for rsETH, allowing them to mint and withdraw around 116,500 unbacked rsETH, worth roughly $292 million at the time.
According to on-chain traces, the wallet involved had been funded just hours earlier via Tornado Cash. The attacker then issued a crafted call to a LayerZero contract that tricked KelpDAO’s bridge logic into releasing rsETH that was not properly backed.
KelpDAO activated emergency pause controls 46 minutes after the initial drain. That response blocked two further attempts to extract an additional 40,000 rsETH, which would have lifted the total exploited amount close to $400 million.
LayerZero maintains that the failure arose from how KelpDAO integrated with its interoperability layer, not from any bug in LayerZero’s protocol.
Aave faces nine-figure bad debt
The attacker quickly moved the newly created rsETH into Aave as collateral and borrowed an estimated 83,427 WETH and wstETH across Ethereum and Arbitrum.
Because the rsETH was effectively worthless, Aave is now left with unrecoverable bad debt estimated between $177 million and $200 million. In response, Aave froze rsETH markets on its V3 and V4 deployments.
Aave founder Stani Kulechov said the platform’s core smart contracts were not compromised, framing the damage as fallout from accepting tainted collateral rather than a direct protocol breach.
LayerZero’s incident playbook and transparency push
LayerZero has previously countered protocol-related rumors by publishing detailed technical analyses, often highlighting differences between configuration errors, version mismatches, and genuine protocol-level flaws.
In cases where incidents involve ecosystem partners, the company typically coordinates emergency fixes and remediation, then follows with public disclosures to preserve transparency. The current cooperation with KelpDAO and the Security Alliance fits into that pattern.
The firm’s stance in this episode is clear: the incident is a failure in a partner’s product integration, not a sign that LayerZero’s core messaging infrastructure is unsafe.
DeFi contagion risk in focus
The breach is now the largest decentralized finance exploit of 2026, surpassing the roughly $285 million theft from Solana-based Drift Protocol on April 1. It adds to a volatile month for crypto security but has so far not derailed broader market activity.
Total value locked across DeFi remains resilient, recently nearing the $100 billion mark. EigenLayer alone held over $9.8 billion in TVL as of April 14, underscoring how rapidly liquid restaking has grown by allowing the same underlying assets to secure multiple networks.
But this growth has come with greater complexity. Each additional layer — restaking, cross-chain bridges, and external messaging systems — adds new failure modes. The KelpDAO exploit has turned that theoretical risk into a concrete example.
Bridges and interoperability under scrutiny
Cross-chain bridges remain a critical but fragile part of DeFi’s plumbing. They enable large flows of value between blockchains, with some systems, such as Chainlink’s CCIP, handling around $18 billion in monthly volume.
The KelpDAO incident highlights how a single integration bug at the bridge or application layer can propagate across protocols, harming unrelated platforms that accept the compromised asset.
Market participants are now watching closely to see how KelpDAO and Aave manage the losses and whether governance processes move to socialize, absorb, or ring-fence the bad debt.
For LayerZero, the episode functions as a stress test of its broader ecosystem. While the firm has pushed to ring-fence the blame to an application-level implementation, traders will be weighing not just protocol security but the operational standards of every project built on top of shared, layered infrastructure.
Concerned about protocol risks? Deepen your understanding of DeFi security by exploring this DeFi guide today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
