An attacker drained approximately $293 million from Kelp DAO on Sunday, April 19, 2026, marking the largest DeFi exploit of the year and pushing crypto sector losses above $605 million across at least 12 incidents in under 20 days. The breach exploited the LayerZero cross-chain messaging system, tricking Kelp's bridge into releasing 116,500 rsETH tokens to an attacker-controlled wallet.

What Happened

At 17:35 UTC on April 19, an attacker targeted LayerZero's EndpointV2 contract, the communication layer Kelp DAO uses to move its rsETH liquid restaking receipt token across more than 20 blockchain networks, including Arbitrum, Base, Linea, and Scroll. The attacker forged what appeared to be a legitimate cross-chain instruction, causing the Kelp bridge to release its rsETH reserve to the attacker's wallet.

The attacker prepared the operation roughly 10 hours in advance by funding the origin wallet through Tornado Cash, the sanctioned mixing service commonly used to obscure on-chain attribution.

Kelp DAO's emergency response team activated a protocol-wide pause at 18:21 UTC, freezing deposits, withdrawals, and rsETH contracts across mainnet and multiple Layer 2 networks. At 20:10 UTC, the team publicly acknowledged the incident, stating they were coordinating with LayerZero, Unichain, their auditors, and external security experts on root cause analysis.

What Was Taken

The attacker extracted 116,500 rsETH valued at approximately $293 million. This represents roughly 18% of the entire circulating rsETH supply, which sits at around 630,000 tokens. The stolen rsETH is backed by staked Ether derivatives such as stETH and cbETH deposited by Kelp users seeking liquid restaking yield.

No customer personal data was implicated. The loss is strictly on-chain: bridge reserve tokens that back the rsETH circulating on non-mainnet networks.

Why It Matters

Kelp DAO is the fifth confirmed crypto incident in April 2026 alone and the largest DeFi loss so far this year. With rsETH widely used as collateral on third-party lending platforms, any de-peg or insolvency event at Kelp propagates directly into borrowing markets, liquidation cascades, and downstream protocols that accept the token.

The incident also challenges confidence in LayerZero, one of the most widely adopted cross-chain messaging frameworks in DeFi. If the EndpointV2 verification logic was abused rather than Kelp-specific code, the blast radius could extend to any protocol relying on LayerZero for bridge message authentication.

The $605 million cumulative loss across 12 crypto entities in under 20 days signals an operational tempo of attacks against DeFi infrastructure not seen since the 2022 bridge exploit wave.

The Attack Technique

Based on Kelp's public statements and on-chain analysis, the attack abused cross-chain message verification in LayerZero's EndpointV2 contract. The attacker caused the contract to accept a forged or replayed message as if it originated from an authorized remote chain, which instructed the Kelp bridge to release 116,500 rsETH.

Preparation steps observed on-chain:

1. Attacker funded operational wallet via Tornado Cash approximately 10 hours before the exploit to obscure funding origin.
2. Attacker submitted a crafted cross-chain payload to the LayerZero EndpointV2 contract.
3. The endpoint treated the message as valid, and the Kelp bridge contract released the rsETH reserve to the attacker's address.

Root cause analysis is ongoing. The precise failure mode, whether a flaw in LayerZero's Decentralized Verifier Network configuration, a misconfigured trusted remote, or a logic flaw in Kelp's receiving contract, has not yet been disclosed.

What Organizations Should Do

1. Audit LayerZero integrations. Any protocol using LayerZero EndpointV2 should immediately review trusted remote configurations, DVN quorum settings, and message verification logic. Confirm that message authentication cannot be satisfied by a single compromised or misconfigured verifier.
2. Freeze rsETH exposure in lending markets. Risk teams at lending protocols should evaluate whether to pause rsETH as collateral, tighten liquidation parameters, or reduce loan-to-value ratios until Kelp publishes root cause and recovery plans.
3. Implement bridge rate limits and withdrawal caps. Protocols holding large reserves behind cross-chain bridges should enforce per-transaction and per-epoch withdrawal ceilings so that a single forged message cannot drain the full reserve.
4. Monitor Tornado Cash funding flows. Security teams should ingest on-chain monitoring feeds that flag freshly funded wallets interacting with privileged bridge or verifier contracts, especially when funding originates from sanctioned mixers.
5. Rehearse protocol-wide pause procedures. Kelp's 46-minute pause window is a useful benchmark. Teams should verify that emergency multisigs can halt deposits, withdrawals, and token transfers across mainnet and every supported L2 within minutes, not hours.
6. Inventory receipt-token dependencies. Identify every liquid staking or restaking receipt token accepted across internal systems and map the upstream bridge and verifier dependencies. A vulnerability in one bridge can cascade into assets that appear unrelated on the surface.

Sources: Major DeFi hack becomes the largest of 2026 yet - AOL.com