Kelp DAO: $292 million exploit, Aave launches historic DeFi relief fund

📋 En bref (TL;DR)
- Kelp DAO lost $292 million in rsETH on April 18, making it the largest DeFi exploit of 2026
- The attack targeted bridge infrastructure, not a smart contract bug: compromised RPC nodes fed the system false data
- Aave suffered $8.4 billion in withdrawals and is committing 25,000 ETH from its treasury to the “DeFi United” relief fund
- DeFi TVL dropped $13 billion in 48 hours, falling below $87 billion
- Arbitrum froze $71 million in ETH linked to the exploit through its Security Council
- The Lazarus Group (North Korea) is suspected, following the Drift Protocol hack ($285M) two weeks earlier
On April 18, 2026, Kelp DAO fell victim to the largest DeFi exploit of the year. By targeting the protocol’s cross-chain bridge, attackers extracted 116,500 rsETH — approximately $292 million. The attack triggered a shockwave across the entire ecosystem, causing $13 billion in withdrawals over two days.
In response, Aave launched “DeFi United,” an unprecedented inter-protocol relief fund. The initiative has already gathered $160 million of the $200 million needed.
How the attack worked: not a bug, a deception
Unlike most DeFi exploits, the Kelp DAO breach didn’t result from a smart contract vulnerability. Attackers targeted the underlying infrastructure of the bridge, which used LayerZero’s messaging protocol to move rsETH across more than 20 blockchains.
The weak point: Kelp used a “1-of-1 DVN” (Decentralized Verifier Network) configuration. A single verifier — LayerZero’s — validated cross-chain messages. No redundancy.
Attackers compromised two internal RPC nodes used by this single verifier. Simultaneously, they launched a DDoS attack against the external fallback node. The verifier, stripped of all reliable sources, fell back on the compromised nodes. Those nodes confirmed a false message: a rsETH “burn” that never happened.
The Ethereum bridge then released 116,500 rsETH to the attacker’s address. As Ben Fisch, CEO of Espresso Systems, summarized: “Attackers compromised nodes and fed the system a false version of reality. The bridge worked as designed. It just believed the wrong information.”
Kelp and LayerZero trade blame
LayerZero pointed to Kelp’s configuration choice. “KelpDAO chose to utilize a 1/1 DVN configuration,” the protocol stated, adding that a multi-verifier setup would have rendered the attack ineffective.
Kelp DAO pushed back. The protocol claims the 1-of-1 configuration is the default recommended in LayerZero’s documentation, and estimates that 40% of protocols using LayerZero run the same setup.
The shockwave: $13 billion in TVL evaporated
The exploit triggered panic across all of DeFi. Within 48 hours, total TVL dropped from $99.5 billion to $86.3 billion — a $13.2 billion crash.
Aave, the leading DeFi lending protocol, was hit hardest. The attacker had deposited 89,567 rsETH as collateral on Aave to borrow approximately $195 million in ETH. Aave’s TVL plunged from $26.4 billion to $20 billion in 24 hours. The AAVE token fell 16%, dropping to $92.
Other protocols triggered emergency pauses: SparkLend, Fluid, Lido, and Ethena all froze certain operations within hours of the exploit.
“DeFi United”: an unprecedented relief fund
Facing a 163,000 ETH hole to fill, Aave launched the “DeFi United” initiative on April 23. This inter-protocol relief fund is a first in DeFi history. Its goal: raise approximately 100,000 ETH to restore rsETH’s backing.
Aave is proposing 25,000 ETH (roughly $58 million) from its treasury. Founder Stani Kulechov pledged 5,000 ETH from his personal fortune: “Aave is my life’s work and we’re working nonstop to find the best possible outcome for users.”
Contributors are lining up. Mantle offered a 30,000 ETH low-interest credit facility. EtherFi contributed 5,000 ETH. Lido is putting up 2,500 stETH. LayerZero, Ethena, and Frax Finance have also announced commitments. In total, over 43,500 ETH have been formally pledged.
Arbitrum freezes $71 million linked to the exploit
Arbitrum’s Security Council froze 30,766 ETH ($71 million) identified as linked to the attacker. Nine of twelve council members voted in favor. The funds remain in an intermediary wallet, accessible only through a full Arbitrum DAO vote.
This action reignited the decentralization debate. Governance interventions on user funds remain rare and controversial in an ecosystem that prides itself on being “permissionless.”
The Lazarus threat: two $285M+ attacks in 18 days
LayerZero attributes the attack “with preliminary confidence” to the Lazarus Group, a North Korean state-linked hacking unit. The TraderTraitor subunit is believed responsible.
The same group is suspected behind the Drift Protocol hack on April 1 ($285 million). In 18 days, two attacks exceeding $285 million each, using completely different vectors: social engineering for Drift, infrastructure poisoning for Kelp.
In total, over $750 million has been stolen from DeFi since the beginning of 2026. Bridges account for approximately 40% of cumulative Web3 losses since 2022, totaling over $2.8 billion.
Where things stand today
As of April 26, the DeFi United fund has gathered approximately $160 million of the $200 million needed — about 80% of the target. Aave’s proposal is at the ARFC (community consultation) stage and will need to pass a Snapshot vote followed by a formal AIP.
The AAVE token has recovered some losses. But the Kelp DAO exploit is an uncomfortable reminder: cross-chain bridges remain DeFi’s weakest link. Neither Kelp nor LayerZero has accepted responsibility. The real lesson is about hidden trust assumptions that users cannot evaluate.
📚 Glossary
- Kelp DAO: A DeFi liquid restaking protocol that tokenizes staked ETH for reuse in other protocols. Its rsETH token represents staked ETH.
- DeFi (Decentralized Finance): Financial services (lending, trading, savings) running on blockchains without banking intermediaries.
- Bridge: Infrastructure that transfers cryptocurrency from one blockchain to another. A critical and often vulnerable part of the ecosystem.
- Smart contract: A self-executing computer program deployed on a blockchain that automatically enforces coded rules without human intervention.
- TVL (Total Value Locked): The total value of cryptocurrency deposited in a DeFi protocol. A key indicator of ecosystem health.
- Exploit: An attack leveraging a technical flaw or configuration weakness to steal funds from a DeFi protocol.
Frequently Asked Questions
How much was stolen in the Kelp DAO exploit?
116,500 rsETH were extracted, worth approximately $292 million. It is the largest DeFi exploit of 2026, surpassing the Drift Protocol hack ($285 million).
How did the Kelp DAO attack work?
Attackers compromised the bridge’s infrastructure nodes, not a smart contract. They fed the single verifier false data to release funds against a non-existent burn.
What is the DeFi United fund launched by Aave?
It’s an inter-protocol relief fund aimed at filling the deficit left by the exploit. Aave contributes 25,000 ETH, with pledges from Mantle (30,000 ETH), EtherFi (5,000 ETH), and others. 80% of the target is reached.
Who is behind the Kelp DAO attack?
The attack is attributed with preliminary confidence to the Lazarus Group, North Korean state-linked hackers. The same group is suspected of the Drift Protocol hack two weeks earlier.
Are crypto bridges safe?
Bridges remain DeFi’s weakest link. Since 2022, they’ve generated over $2.8 billion in losses, accounting for approximately 40% of all Web3 theft.
📰 Sources
This article is based on the following sources:
- Chainalysis – Inside the KelpDAO Bridge Exploit (April 2026)
- CoinDesk – 2026’s Biggest Crypto Exploit: Kelp DAO Hit for $292M
- The Defiant – Aave Announces DeFi United Relief Fund
- CoinDesk – Arbitrum Freezes $71M in Ether Tied to Kelp DAO Exploit
How to cite this article: Fibo Crypto. (2026). Kelp DAO: $292 million exploit, Aave launches historic DeFi relief fund. Retrieved April 26, 2026, from https://fibo-crypto.fr/en/kelp-dao-exploit-292-million-aave-defi-united
The simplest way to buy, swap and manage your crypto
Join the first users and get priority access. No seed phrase, fees 3.5x lower, built-in DeFi yield.
Get early access →

