A Fake Message Scammed $292 Million: Kelp DAO’s Cross-Chain Bridge Drained in 46 Minutes
By Xiao Bing, TechFlow
At 17:35 UTC on the evening of April 18, a wallet that had laundered funds via Tornado Cash sent a cross-chain message to LayerZero’s EndpointV2 contract.
The semantic meaning of this message was simple: a user on another chain wished to bridge rsETH back to Ethereum mainnet. As designed, LayerZero faithfully relayed the instruction. Kelp DAO’s bridging contract deployed on mainnet also executed the release as intended.
116,500 rsETH—worth approximately $292 million at the time—were transferred in a single transaction to an address controlled by the attacker.
The problem? No one had ever deposited that amount of rsETH on the source chain. This “cross-chain request” was entirely fabricated. LayerZero believed it—and so did Kelp’s bridge.
Forty-six minutes later, Kelp’s emergency multi-signature transaction finally hit pause. By then, the attacker had already completed the second half of the operation: using the stolen, effectively unbacked rsETH as collateral in Aave V3 to borrow roughly $236 million worth of wETH.
This is the largest DeFi theft to date in 2026—exceeding even the $Drift protocol hack attributed to North Korean hackers on April 1 by several million dollars. Yet what truly chilled the industry wasn’t just the dollar figure.
How the Attack Unfolded: Three Attempts Between 17:35 and 18:28
Let’s reconstruct the timeline.
17:35 UTC — First successful exploit. The attacker invoked the lzReceive function on LayerZero’s EndpointV2 contract. A wallet funded via Tornado Cash transmitted a forged cross-chain data packet to Kelp’s bridging contract. The contract passed validation, and 116,500 rsETH were released to the attacker’s address—in a single, clean transaction.
18:21 UTC — Kelp’s emergency multi-sig froze rsETH core contracts on Ethereum mainnet and multiple L2s. Forty-six minutes after the attack began.
18:26 and 18:28 UTC — Two further attempts. Each carried a LayerZero data packet attempting to withdraw another 40,000 rsETH (approx. $100 million). Both reverted—the contracts were already frozen—but the attacker clearly kept trying to drain remaining liquidity.
From first success to Kelp’s public announcement: nearly three hours elapsed.
Kelp’s first X post didn’t appear until 20:10 UTC, worded with restraint: “We’ve detected suspicious cross-chain activity involving rsETH and have paused rsETH contracts on Ethereum mainnet and multiple L2s. We are collaborating with LayerZero, Unichain, auditors, and external security experts to conduct root-cause analysis.”
But before any official statement, ZachXBT—the on-chain detective—issued an alert on his Telegram channel before 3 p.m. ET, listing six wallets linked to the theft and noting that all attacker wallets had pre-funded and laundered assets via Tornado Cash. He didn’t name Kelp DAO directly—but on-chain analysts connected the dots within hours.
This was a premeditated, minute-level execution. Pre-funded, laundered wallets; meticulously crafted cross-chain packets; seamless follow-up actions—bridging, then borrowing on Aave—each step timed like a metronome.
Steal—and Then Sabotage
If this had been a simple bridge vulnerability—steal 116,500 rsETH and exit—it would merely rank as a major incident in 2026. Kelp would absorb the loss, the community would digest it over a few days, and the industry would move on.
But the attacker had clearly done the math. rsETH’s secondary liquidity is thin; dumping $292 million on DEXes would incur massive slippage, eroding profits. A more elegant exit strategy was to package these “air-gapped” rsETH tokens as seemingly legitimate collateral and borrow highly liquid assets from lending protocols.
Hence the second step: depositing the stolen rsETH into Aave V3 as collateral and borrowing large amounts of wETH.
Why was this step fatal? Because Aave’s contracts—at that moment—were still valuing rsETH using its oracle price, while the bridge’s reserves had already been emptied. The economic foundation of this rsETH no longer existed. Yet the lending protocol continued issuing loans as if the collateral were fully backed—rendering it, in effect, a worthless IOU.
The result: The attacker offloaded the risk of monetizing the stolen funds onto Aave’s wETH reserve pool.
Aave V3’s wETH pool is now absorbing bad debt. Solidity developer and auditor 0xQuit warned depositors on X that the wETH pool has effectively been impaired, and partial redemptions may only resume once Aave’s Umbrella fallback module clears the deficit.
The latest estimate for bad debt stands at ~$177 million—and this figure covers only the Ethereum mainnet side.
A Long-Anticipated Stress Test
For veteran DeFi users, this episode carries a familiar déjà vu—reminiscent of how Aave V2’s Safety Module absorbed losses during the 2022 Luna collapse.
This time, however, it’s Umbrella—the new-generation fallback system Aave launched at the end of 2025 to replace the old Safety Module—that has stepped into the spotlight. This event marks Umbrella’s first major real-world stress test of its automated bad-debt coverage mechanism.
Umbrella’s logic is straightforward: stake aTokens like aWETH, aUSDC, or GHO into corresponding Umbrella vaults to earn extra incentives—but when the underlying asset pool incurs a deficit, those staked assets are proportionally slashed to cover the shortfall.
This design looks pristine on paper. In Aave v3.3’s first month of operation, total pool deficits amounted to ~$400 against nearly $9.5 billion in outstanding loans—a ratio negligible enough to ignore.
But $177 million in bad debt belongs to an entirely different order of magnitude. For users who staked aWETH into Umbrella, this will be their first tangible experience of what “bearing slashing risk” truly means. Aave’s official stance remains cautious: “Should bad debt arise, Aave plans to use Umbrella assets to cover any financial shortfall. However, whether full coverage is possible, the slashing ratio, and the extent of principal loss for stakers—all remain unknown until settlement concludes.”
The Original Sin of Cross-Chain Bridges
What’s even more unsettling is the identity of the stolen rsETH.
rsETH is deployed across more than 20 networks—including Base, Arbitrum, Linea, Blast, Mantle, and Scroll—with cross-chain transfers handled by LayerZero’s OFT standard. The rsETH drained from the bridge constituted the reserve backing *all* wrapped rsETH on those chains.
This architecture sounds routine at first glance: a 1:1 reserve held in the mainnet treasury, enabling L2 rsETH holders to theoretically redeem anytime. But this mechanism rests on one critical assumption: the treasury actually holds the funds.
Now, the treasury is down 18%. Roughly 18% of Kelp’s total rsETH circulating supply has overnight lost its corresponding backing.
This triggers a feedback loop: if L2 holders panic and rush to redeem, pressure cascades onto the unaffected Ethereum-side supply—potentially forcing Kelp to unwind restaking positions to meet withdrawal requests.
Unwinding restaking isn’t instantaneous. EigenLayer withdrawals face delay periods; underlying validator exits involve queueing. If L2 rsETH holders collectively flood the redemption window, Kelp may simply lack time to prepare sufficient mainnet liquidity for payouts.
This is a fundamental risk inherent to bridge-reserve models: a failure in the single mainnet reservoir collapses hydraulic pressure across every downstream channel. Every L2 rsETH holder now faces the same binary choice: flee first—or trust Kelp to bail them out?
Panic swept across the entire DeFi lending landscape within hours.
Aave V3 and V4 rsETH markets froze; new deposits and rsETH-based lending channels were disabled.
SparkLend and Fluid followed suit, freezing rsETH markets.
Ethena—though declaring zero rsETH exposure and maintaining >101% over-collateralization—nonetheless proactively suspended its LayerZero OFT bridge originating from Ethereum mainnet for ~six hours. That reaction is telling: even players with no direct exposure paused LayerZero-related bridges.
Lido Finance paused new deposits into its earnETH product (which holds rsETH exposure), while emphasizing that stETH and wstETH remain unaffected—and that Lido’s core staking protocol is unrelated to this incident.
Upshift paused deposits and withdrawals for its High Growth ETH and Kelp Gain vaults.
This list continues to grow.
TechFlow Commentary: The Long Road to DeFi Security
As of this writing, Kelp DAO’s root-cause analysis remains ongoing. How much stolen rsETH can be recovered through security teams or white-hat negotiations? Can Aave’s Umbrella withstand this wave of bad debt? Will L2 rsETH holders trigger a bank run? Can AAVE and rsETH prices stabilize before the weekend ends?
Yet certain questions have already surfaced.
For instance: Can LRTs continue serving as qualified collateral for lending protocols?
Liquid Restaking Tokens (LRTs) were the darlings of Ethereum’s last cycle. EigenLayer launched the narrative of “one ETH, multiple yield layers,” which Kelp, ether.fi, Puffer, and others industrialized. The outcome: LRTs were formally added to the collateral whitelists of major lending protocols as structured assets.
This decision rested on an assumption: that LRTs’ peg mechanisms are robust enough, and that risks arising from multi-layered underlying asset dependencies can be fully modeled and isolated at the smart-contract level.
The Kelp incident punctured that assumption in a single afternoon. LRT risk doesn’t stem solely from underlying smart contracts—it also arises from their cross-chain distribution architecture; not just from one protocol, but from every dependency linking EigenLayer, LayerZero, and Aave. Each individual DeFi Lego block may look secure in isolation—but the assembled structure multiplies risk, rather than summing it.
In the coming months, all lending protocols still listing LRTs as high-tier collateral will need to re-evaluate risk parameters: collateral caps will shrink, liquidation buffers will widen, and some protocols may delist them outright.
DeFi’s moat has long been called “composability”—but this incident reminds everyone: composability is a double-edged sword. The network effects you pride yourself on become force multipliers in the hands of attackers.
This attacker planned the exit path in advance—not just theft, but weaponizing DeFi composability itself. The tighter the interdependencies between protocols—and the richer the composability—the broader the attack surface becomes, and the more financial Legos attackers can orchestrate.
DeFi security remains a long, arduous road ahead.
