What Went Wrong in Kelp DAO's $292M Exploit?
2026-04-22 • Ian Irizarry
TL;DR: Kelp DAO, a decentralized finance (DeFi) platform, suffered a $292 million exploit due to a vulnerability in its cross-chain bridge TokenPost: Kelp DAO Exploit 292M rsETH Defi Hack. This incident underscores the critical importance of robust security measures for companies seeking funding in the DeFi space.
What Happened with Kelp DAO?
Here’s the thing: on April 18, 2026, Kelp DAO got hit hard by a major hack. An attacker found a hole in their LayerZero-based cross-chain bridge and managed to drain about 116,500 rsETH tokens—that’s roughly $292 million. To put it in perspective, that was nearly 18% of all the rsETH tokens floating around. TokenPost: Kelp DAO Exploit 292M rsETH Defi Hack
So, How Did the Hacker Pull It Off?
I've found that these exploits tend to come down to one tricky vulnerability. In this case, the culprit was the cross-chain messaging system LayerZero uses. The attacker sent a carefully crafted message to Kelp DAO's bridge, fooling it into releasing funds straight to a wallet they controlled. This wasn’t just a simple transfer—it involved calling the lzReceive function on the LayerZero EndpointV2 contract, which let them mint rsETH tokens without any real checks. Basically, the system got duped completely. Rareevo: Kelp DAO Exploit 292M rsETH Defi Hack 2026
How This Shook Other DeFi Platforms
The fallout didn’t stop with Kelp DAO. Other DeFi platforms felt the shockwaves. For example:
Aave: The thief actually used the stolen rsETH as collateral on Aave V3. Because of that, they borrowed a ton of wrapped Ether (WETH), putting Aave at risk of bad debt somewhere between $123.7 million and $230.1 million. Not a small issue at all. CoinCentral: Kelp DAO 292 Million Exploit Triggers Bad Debt Crisis on Aave
Other Platforms: SparkLend and Fluid jumped in quickly, freezing any markets involving rsETH to prevent more damage. It shows just how interconnected everything is in DeFi. Coira.io: Kelp DAO rsETH 292m Bridge Exploit Aave Freeze
What Companies Should Learn from This
Make Security Your Top Priority
Investors these days don’t just look at the product; they want to see strong security. And honestly, it’s a game changer.
Regular audits by well-known security firms are a must.
Also, layering security helps. Using decentralized verifier networks with multiple validators can lower the risk of a single failure point taking you down.
Be Open, Even When Things Go Wrong
Kelp DAO and LayerZero didn’t shy away from talking publicly about what happened. Kelp DAO mentioned that LayerZero’s default 1-of-1 DVN setup was part of the problem. It’s a good reminder: transparency builds trust.
Keep your stakeholders updated on any security concerns or incidents.
Admit mistakes openly and share the steps you’re taking to fix them.
DeFi Isn’t an Island
The hack spilled over into other platforms, proving just how intertwined everything really is.
Always check the security of the platforms you connect with.
Don’t put all your eggs in one basket; diversify your partnerships to avoid systemic risks.
Quick aside: Just keep in mind that even the best security can’t guarantee 100% protection. There’s always some risk in DeFi, so preparedness is key.
Frequently Asked Questions
What exactly is rsETH?
It’s a liquid restaking token from Kelp DAO, representing Ethereum staked through EigenLayer to get better returns. TokenPost: What exactly is rsETH?
How did the exploit impact Aave?
The attacker used the stolen rsETH as collateral to borrow WETH on Aave V3. This created a bad debt risk estimated up to $230.1 million. CoinCentral: Kelp DAO 292 Million Exploit Triggers Bad Debt Crisis on Aave
What can DeFi platforms do to avoid hacks like this?
Regular security audits with trusted firms.
Use multi-signature wallets for critical functions.
Employ decentralized verifier networks with several validators to avoid single points of failure.
Wrapping It Up
To sum up, the Kelp DAO incident really shines a light on how crucial security is in DeFi. If you’re a company trying to raise money, showing you take security seriously can make all the difference. Learning from these mistakes and taking proactive steps will help build a safer, more reliable ecosystem for everyone.