KelpDAO Hack

On April 18, 2026, KelpDAO, a liquid restaking protocol, was drained of 116,500 rsETH worth about $292 million, roughly 18% of the token’s supply, in the largest DeFi exploit of 2026 and an attack LayerZero, Mandiant, and CrowdStrike attributed to the North Korean group TraderTraitor (UNC4899). The exploit targeted KelpDAO’s LayerZero-powered cross-chain bridge, which relied on a 1-of-1 Data Verification Network configuration with LayerZero Labs as the sole verifier, contrary to LayerZero’s own recommendation to use diversified multi-DVN setups. Rather than breaking smart-contract code, the attacker compromised the RPC infrastructure the lone DVN depended on, poisoning two nodes to forge cross-chain messages that tricked the bridge into releasing rsETH to an attacker-controlled address across more than 20 chains. About 89,567 rsETH was deposited as collateral on Aave to borrow roughly $190 million in WETH, leaving an estimated $177 million in bad debt on Aave, which froze rsETH markets on V3 and V4. KelpDAO’s emergency pauser multisig froze core contracts about 46 minutes after the drain, blocking two follow-up attempts, and the protocol later migrated rsETH from LayerZero’s OFT standard to Chainlink’s CCIP. The case is a landmark lesson in cross-chain single-point-of-failure configurations, off-chain infrastructure security, and composability-driven contagion.