A roughly $292 million exploit tied to KelpDAO’s bridge spilled into Aave and helped knock more than $13 billion off DeFi’s TVL in two days.
A weekend exploit tied to KelpDAO, a liquid restaking protocol, sent fresh stress through crypto lending markets. Around about 116,500 rsETH was drained, making it one of the largest DeFi exploits this year.
As the situation unfolded, users started pulling funds across multiple protocols, and total value locked dropped quickly.
Read also: Bitcoin on April 20: BTC Trades Near $75,000 Amid Iran Uncertainty
Contents
How The KelpDAO Hack Started
The attacker appears to have minted or spoofed KelpDAO’s own rsETH token contract via a compromised cross-chain message. Then, the minted rsETH were deposited into Aave as collateral.
Against that collateral, the hackers borrowed “clean” assets like ETH▼$1,664.82, effectively extracting real value from the system.
KelpDAO’s public response was slim and short. In an X post on April 18, the team said it had identified “suspicious cross-chain activity involving rsETH” and had paused rsETH contracts.
The team hasn’t shared further details since then.
DPRK Behind The Attack
LayerZero wrote in a separate X post that the exploit was tied to KelpDAO’s own rsETH configuration. The team framed the incident as a case of an application-level setup being misconfigured rather than a protocol-wide issue.
The team also said that “preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.” The LayerZero team added:
“This incident was isolated to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup. There is zero contagion to any other cross-chain assets or applications.”
Crypto Community Strikes Back
But that explanation hasn’t fully settled the discussion. Parts of the crypto community pushed back, arguing that while KelpDAO chose the setup, it was LayerZero’s design made that setup possible in production.
- At the center of the heated debate is how DVNs (Decentralized Verifier Networks) work. These are the systems that verify whether a cross-chain message is valid.
- LayerZero’s model lets projects choose how many of these checkpoints they want. KelpDAO reportedly ran a 1-of-1 DVN configuration, meaning a single verifier could approve messages.
- Some say KelpDAO ignored guidance to use multiple verifiers. Others say the protocol still shares part of the risk because it allows this type of setup.
None of those claims have been formally confirmed by KelpDAO as root causes yet as the full technical breakdown is still unfolding.
KelpDAO Hack Hits DeFi TVL
The market impact got way bigger because Aave, the largest DeFi lending protocol, had rsETH markets live. Aave stressed that its own pools remained operational and that the problem didn’t come from a protocol bug.
Cyver’s chief technology officer, Meir Dolev, said the situation nearly escalated further as the hackers were just three minutes away from extracting an additional $100 million.
According to DefiLlama data, Aave’s TVL fell by more than 30% over the weekend, while the broader DeFi market lost over $13 billion in just two days.
Read more: What Does Q2 2026 Hold for Crypto? A Strategic Outlook
