DeFi bombshell: Kelp DAO cross-chain bridge hacked, resulting in nearly $300 million in losses and affecting multiple lending protocols

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯1357 words

The DeFi sector experienced a major security incident yesterday. The cross-chain bridge under the liquidity restaking protocol Kelp DAO was hacked, leading to the massive abnormal minting and transfer of its native token rsETH. Preliminary estimates place the losses between $292 million and $294 million. Multiple DeFi platforms have suffered varying degrees of losses, including the largest DeFi platform, Aave, making this the largest DeFi security incident of 2026 to date. Incident Overview: Large-scale theft via forged cross-chain messages According to on-chain data and analysis, the attack occurred at 1:35 AM (UTC+8) on April 19. The hacker targeted the OFT (Omnichain Fungible Token) cross-chain bridge built by Kelp DAO on LayerZero. By forging cross-chain messages, the attacker successfully deceived the system into sending 116,500 rsETH (approximately 18% of the total circulating supply) to a wallet address controlled by the hacker. Investigations reveal that the attacker prepared funds via Tornado Cash and launched the attack after lying in wait for approximately 10 hours. The attacker subsequently exploited the vulnerability by triggering the lzReceive function of LayerZero. Notably, the hacker later attempted to steal another 80,000 rsETH worth approximately $200 million, but failed due to Kelp DAO’s emergency pause of the contracts. Impact Spread: Collateral damage to the DeFi lending market After obtaining the funds, the hacker quickly deposited the stolen rsETH as collateral into mainstream lending protocols such as Aave V3/V4, SparkLend, and Fluid, and borrowed large amounts of WETH/ETH. Once rsETH was flagged as a compromised asset, the aforementioned lending platforms faced severe risks of bad debt. Aave took immediate action following the incident, freezing the rsETH markets on V3 and V4 and suspending related deposit and borrowing functions. Although the Aave protocol itself was not hacked, it may incur significant bad debt. This incident highlights the "DeFi Lego" composability risk: a vulnerability in a single protocol's cross-chain bridge quickly triggered a chain reaction across multiple platforms. Kelp DAO Emergency Response and Current Status Upon detecting abnormal activity, Kelp DAO activated emergency mechanisms within 46 minutes, pausing rsETH contracts on the Ethereum mainnet and multiple L2 networks, and freezing core protocol functions. Kelp DAO is currently working with LayerZero, Unichain, security audit firms, and external security experts to conduct an in-depth investigation and has issued an official statement urging users to obtain the latest updates only through official channels. Latest status as of the afternoon of April 19: Contract Status: Relevant contracts remain in a paused state. Asset Flow: According to on-chain tracking, the hacker has converted approximately $250 million worth of stolen tokens into ETH. Technical Analysis: This incident is classified as a cross-chain bridge and messaging layer vulnerability (LayerZero OFT), rather than a direct breach of Kelp DAO’s core staking contracts. While the ETH collateral corresponding to the mainnet appears safe, cross-chain liquidity has been severely damaged, leading to a deadlock in wrapped ETH liquidity across multiple chains. Recommended Actions: As the incident occurred during a holiday, the response speed of several DeFi platforms has been noticeably slow. With large-scale staking withdrawals and asset conversions, there is a possibility that more DeFi platforms may suspend withdrawals and redemptions. It is recommended that users with funds staked on DeFi platforms withdraw their assets to self-custody wallets as soon as possible. Security researchers such as ZachXBT and PeckShield are continuing to monitor the hacker's addresses. Investigations are ongoing, and compensation plans for affected lending protocols and users have not yet been released. Investors should closely monitor follow-up announcements from Kelp DAO’s official accounts.

Data Status✓ Full text extractedRead Original (區塊客)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-04-21

Kelp DAO hack triggers "DeFi chain reaction": Aave faces potential bad debt of up to $230 million

Similarity 220%關鍵字 dao/kelp/defi同分類 zh

2026-04-19

Kelp DAO suffers rsETH bridge hack! $292 million stolen, triggering chain reaction of freezes on Aave and Compound

Similarity 220%關鍵字 dao/跨鏈橋遭駭/kelp同分類 zh

2026-04-19

Kelp DAO rsETH bridge hacked for $292 million! Triggering chain reaction of freezes on Aave and Compound

Similarity 220%關鍵字 dao/跨鏈橋遭駭/kelp同分類 zh

2026-04-27