BlockBeats News, April 19: Multi-chain liquidity staking platform KelpDAO was attacked early this morning. The attacker drained 116,500 rsETH from KelpDAO’s LayerZero-based cross-chain bridge, worth approximately $292 million, marking the largest DeFi exploit of 2026 so far. About 46 minutes later, KelpDAO responded by emergency pausing the multisig, freezing core components including the LRT deposit pool, withdrawal contracts, oracle, and rsETH token. Kelp stated they had detected abnormal cross-chain activities involving rsETH and had paused relevant contracts on the mainnet and several L2s, conducting root cause analysis in collaboration with LayerZero.
The two subsequent attacks launched by the attacker were unsuccessful, as the pause measures effectively prevented further fund outflows. The attacker attempted to transfer an additional 40,000 rsETH (around $100 million), and if successful, the total loss could widen to approximately $391 million. Following the incident, the Aave token experienced a 10% price drop. Market concerns arose regarding potential insolvency of the lending protocol due to this exploit. Aave has frozen the rsETH markets in V3 and V4, stating the incident is related to the rsETH asset itself, not the protocol smart contract. Aave is assessing the lending situation post-attack and mentioned that if there is insolvency, they will “explore paths to fill the gap.”
The majority of the stolen rsETH from KelpDAO’s attacker was deposited into Aave as collateral to borrow ETH, while a smaller portion was directly exchanged for ETH. The hacker acquired a total of 106,466 ETH (around $250 million) through collateralization and selling. For safety reasons, over $5.4 billion in assets swiftly left Aave after the hacker, through Aave, borrowed a considerable amount of ETH using fraudulently minted rsETH. Among them, Justin Sun reclaimed 65,584 ETH ($154 million). The money utilization rate on ETH in Aave reached 100% at one point.
Curve founder Michael Egorov stated, “This incident is a direct result of the prevalent ‘non-isolated borrowing’ model. While this model offers good scalability, it comes with higher risks, making risk management crucial. Aave v4’s hub and spoke model may be a step towards a semi-isolated, more secure direction.”
Crypto influencer benmo.eth expressed that the theft of rsETH from KelpDAO has far-reaching implications, shattering Aave’s security “halo,” and highlighting the risks of a unified lending market, now under intense scrutiny by whales. Aave V4 and modular lending could usher in future trends, potentially accelerating this transformation process. DeFi is likely to pivot from expansion to a more conservative security-focused mode, while also needing to address emerging AI-driven security threats like Anthropic Mythos.
Bankless co-founder Ryan Sean Adams wrote, “The frequency of hacks in crypto has reached an all-time high. I believe this is related to AI. AI is giving hackers ‘dark superpowers.’ Defense must catch up quickly, we are running out of time.”
