KelpDAO Hack: $293 Million Stolen, Aave Loses $8 Billion — DeFi’s Worst Weekend
📋 En bref (TL;DR)
- $293 million stolen: restaking protocol KelpDAO hit by the largest crypto hack of 2026, exploiting a cross-chain bridge misconfiguration
- Lazarus Group identified: LayerZero attributes the attack to TraderTraitor, a North Korean unit that also struck Drift Protocol ($285M) just 18 days earlier
- Aave in crisis: $196 million in bad debt, $8.45 billion withdrawn in 48 hours, ETH pools at 100% utilization
- DeFi bank run: Justin Sun withdraws $154M in ETH from Aave, triggering widespread panic across all lending protocols
- $13.2 billion in DeFi TVL wiped out in two days — some analysts declare “DeFi is dead”
- Configuration flaw: KelpDAO used a single verifier (1-of-1 DVN) instead of LayerZero’s recommended multi-verifier setup
The weekend of April 18, 2026, will go down in decentralized finance history. In under 46 minutes, an attacker drained $293 million from restaking protocol KelpDAO, triggering a shockwave that rocked Aave, the world’s largest crypto lending protocol. Here’s how a single misconfiguration nearly brought DeFi to its knees.
46 Minutes to Steal $293 Million: Anatomy of the Attack
On Saturday April 18, between 17:20 and 18:40 UTC, a sophisticated attacker exploited a vulnerability in KelpDAO’s cross-chain bridge configuration. The protocol, which allows users to deposit ETH and receive rsETH tokens usable across 20+ blockchains via LayerZero, had a critical weakness: a single verifier (DVN) validated all cross-chain messages.
The attack unfolded in three phases:
- Phase 1 — Poisoning: the attacker compromised two RPC nodes used by LayerZero’s verifier, injecting malicious code designed to falsify data only for that specific verifier while remaining invisible to monitoring systems
- Phase 2 — DDoS: a denial-of-service attack forced failover to the poisoned nodes, effectively blinding the verifier
- Phase 3 — Extraction: the bridge released 116,500 rsETH (~$293M) to an attacker-controlled address, with no ETH actually transiting on the other side — tokens were literally “minted out of thin air”
KelpDAO’s emergency pause was triggered 46 minutes after the first drain. Two follow-up attempts (~$100M each) were blocked by the pause.
Lazarus Group: $578 Million Stolen in 18 Days
LayerZero officially attributed the attack to the Lazarus Group, specifically its TraderTraitor subunit, linked to North Korea’s regime. Evidence includes Tornado Cash-funded wallets, self-destructing malware, and the sophisticated DDoS + RPC poisoning combination.
Most alarming: the same unit had struck Drift Protocol on April 1, stealing $285 million through social engineering. In 18 days, TraderTraitor drained over $578 million from DeFi using two completely different attack vectors — technical infrastructure vs. human manipulation — demonstrating extraordinary versatility.
According to Chainalysis, North Korean hackers stole a record $2.02 billion in 2025, bringing their all-time total to $6.75 billion. 2026 is on track to surpass that record.
Aave: Bank Run and $196 Million in Bad Debt
The attacker didn’t just steal tokens. They deposited the stolen (worthless) rsETH as collateral on Aave V3 and V4, borrowing clean wETH against it. Result: $196 million in unrecoverable bad debt on Aave.
What followed was a nightmare scenario for DeFi:
- Justin Sun withdrew 65,584 ETH ($154M) in a single transaction, sparking panic
- Aave’s wETH, USDT, and USDC pools hit 100% utilization, freezing withdrawals
- $5.4 billion in ETH was withdrawn from Aave’s wETH pool within 24 hours
- Users unable to withdraw began borrowing stablecoins to “exit” — a $300 million borrowing spike
- Aave’s TVL dropped from $26.4B to ~$18B in 48 hours (-$8.45 billion)
The AAVE token plunged roughly 20% to around $90. Founder Stani Kulechov clarified that “Aave’s smart contracts were not compromised” — the flaw was external, but the consequences were devastating.
![How Does Blockchain Work? Complete Guide to Blockchain Technology [2026]](https://fibo-crypto.fr/wp-content/uploads/2026/02/how-blockchain-works-header-2026.png)
Contagion: $13.2 Billion in DeFi TVL Evaporated
The panic wasn’t limited to Aave. Over two days, total DeFi TVL dropped from $99.5B to $86.3B — a $13.2 billion wipeout. Nine major protocols took emergency action:
- Aave, SparkLend, Compound, Euler, Fluid — froze rsETH markets
- Lido Finance — paused earnETH deposits
- Ethena — suspended LayerZero OFT bridges for 6 hours
- Morpho, Sky — massive capital outflows
Justin Sun publicly offered to negotiate with the hacker: “OK — KelpDAO hacker, how much do you want? Let’s talk. You can’t spend $300 million anyway.” An unprecedented move reflecting the scale of the crisis.
LayerZero Points to KelpDAO’s Configuration
LayerZero was quick to clarify: this was not a protocol-level bug, but a configuration choice by KelpDAO. The protocol used a DVN (Decentralized Verifier Network) in a 1-of-1 configuration — a single verifier — despite LayerZero explicitly recommending multi-verifier setups with redundancy.
In response, LayerZero announced it will no longer sign messages for any project using 1-of-1 verifier configuration. The ZRO token nonetheless dropped nearly 30% before stabilizing.
Curve founder Michael Egorov summarized the lesson: “Cross-chain is hard and potentially risky. Only use cross-chain infrastructure when absolutely necessary, and do it really carefully.”
Key Takeaways for Investors
This hack raises fundamental questions about DeFi security:
- Toxic collateral risk: Aave accepted rsETH as collateral without real-time verification that tokens were actually backed by ETH
- Bridge dependency: cross-chain protocols remain DeFi’s weakest link, responsible for billions in cumulative losses
- Systemic contagion: a single hack can trigger a bank run across all of DeFi
- Persistent state-level threats: Lazarus has near-unlimited resources and constantly adapts its attack vectors
For DeFi users, caution is paramount: diversify across lending protocols, limit exposure to complex restaking tokens, and verify the security configurations of the protocols you use.
📚 Glossary
- DeFi (Decentralized Finance): Ecosystem of financial applications running on blockchains without centralized intermediaries. Includes lending, decentralized trading, and stablecoins.
- Restaking: Technique that allows already-staked ETH (via EigenLayer) to be reused to secure additional protocols, generating extra yield.
- Bridge: Infrastructure enabling token transfers between different blockchains. Historically the weakest point in DeFi security.
- TVL (Total Value Locked): Total amount of assets deposited in a DeFi protocol. The primary indicator of a protocol’s trust and size.
- Collateral: Asset deposited as guarantee to obtain a loan on a lending protocol like Aave.
Frequently Asked Questions
What is the KelpDAO hack and how much was stolen?
On April 18, 2026, an attacker exploited a misconfiguration in KelpDAO’s cross-chain bridge to steal 116,500 rsETH, worth approximately $293 million. It is the largest crypto hack of 2026. The attack lasted 46 minutes before being stopped by the protocol’s emergency pause.
Who is behind the KelpDAO hack?
LayerZero attributed the attack to North Korea’s Lazarus Group, specifically the TraderTraitor subunit. The same unit had stolen $285 million from the Drift protocol on April 1, 2026, bringing their 18-day total to over $578 million.
Was Aave itself hacked in the KelpDAO exploit?
No, Aave’s smart contracts were not compromised. However, the attacker used the stolen (unbacked) rsETH as collateral on Aave to borrow clean wETH. This created $196 million in bad debt and triggered a bank run with $8.45 billion in withdrawals over 48 hours.
Are my DeFi funds at risk after the KelpDAO hack?
The risk depends on which protocols you use. Aave froze its rsETH markets, and protocols without rsETH exposure were not directly affected. However, panic withdrawals spread across all DeFi lending platforms. Diversifying across protocols remains the best protection.
What is a cross-chain bridge and why is it risky?
A bridge enables token transfers between different blockchains. Bridges are historically DeFi’s weakest link, responsible for billions in cumulative losses since 2021. The KelpDAO hack shows that even a “decentralized” setup can be vulnerable when relying on a single verifier.
📰 Sources
This article draws on the following sources:
- CoinDesk – 2026’s biggest crypto exploit: Kelp DAO hit for $292 million (April 19, 2026)
- CoinDesk – LayerZero blames Kelp’s setup, attributes to Lazarus (April 20, 2026)
- The Defiant – Kelp DAO loses $293M, leaving Aave with over $200M in bad debt
- CoinCentral – $292 Million Gone in 46 Minutes: Inside the Kelp DAO DeFi Hack
- CoinDesk – DeFi TVL drops more than $13 billion in two days (April 20, 2026)
How to cite this article: Fibo Crypto. (2026). KelpDAO Hack: $293 Million Stolen, Aave Loses $8 Billion — DeFi’s Worst Weekend. Retrieved April 20, 2026 from fibo-crypto.fr
The simplest way to buy, swap and manage your crypto
Join the first users and get priority access. No seed phrase, fees 3.5x lower, built-in DeFi yield.
Get early access →
