At 17:35 UTC on Saturday, April 18, 2026, someone minted 116,500 rsETH on Ethereum mainnet that had no backing behind it. That’s roughly 18% of KelpDAO’s entire circulating supply, worth about $292 million at the time the forged LayerZero packet cleared. Within minutes it was sitting as collateral on Aave, borrowing WETH against itself. Within an hour it had produced the largest single DeFi extraction of 2026 so far.
This piece was written in the first evening after the drain. KelpDAO and LayerZero have both promised post-mortems; final numbers on bad debt, compensation, and any supply migration will shift over the coming days. Treat the specific figures below as the best on-chain and analyst estimates available as of April 18–19, 2026.
The restaking contracts didn’t fail. The EigenLayer delegations are still intact. Mainnet rsETH is still backed by the legitimate user deposits sitting in KelpDAO’s node delegators. The core product was fine. What broke was the bridge — a LayerZero OFT adapter running on a one-of-one validator stack, which let a single forged signature instruct the adapter’s mainnet escrow to release tokens that shouldn’t have moved. Everything downstream is composability fallout.
Here is what happened, what broke, and who actually pays.
What KelpDAO Is, and Why the Bridge Mattered
KelpDAO is one of the larger liquid restaking token (LRT) protocols built on EigenLayer. Users deposit ETH or a whitelisted LST, the protocol delegates to a set of EigenLayer operators, and users receive rsETH: a token representing a claim on the restaked position plus accrued yield. By April, rsETH had crossed $1 billion in TVL and was integrated as collateral across most of the major lending markets and yield venues in DeFi.
rsETH lives natively on Ethereum, where the restaking contracts sit. But its utility depends on being everywhere: Arbitrum, Base, Mantle, Unichain, Linea, and roughly a dozen other L2s and sidechains. KelpDAO uses a LayerZero OFT (Omnichain Fungible Token) adapter to move rsETH across chains. The adapter is the bridge. When rsETH leaves Ethereum, it’s locked in an escrow contract on mainnet, and a matching amount is minted on the destination chain. When a cross-chain message comes back, the escrow releases.
That escrow release is what got spoofed.
The Attack: A Single Forged lzReceive Call
The entire drain happened in one transaction:
0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222
The call landed on LayerZero’s EndpointV2 contract at 0x1a44076050125825900e736c501f859c50fE728c with a forged origin packet claiming to come from source Endpoint ID (EID) 30320. The endpoint passed the payload to KelpDAO’s rsETH OFT adapter at 0x85d456B2DfF1fd8245387C0BfB64Dfb700e98Ef3. The adapter, trusting the message, released 116,500 rsETH from escrow into attacker address 0x8B1b6c9A6DB1304000412dd21Ae6A70a82d60D3b. One Transfer, one OFTReceived, one PacketDelivered. Roughly $292 million.
The forgery worked because the adapter’s security stack was configured to accept the attestation of a single verifier. LayerZero’s OApp configuration model lets the application developer choose how many “DVNs” (Decentralized Verifier Networks) must sign off on an incoming message before it’s delivered, plus any optional verifiers. For the rsETH OFT, both sender-side and receiver-side configs read the same way:
requiredDVNs: [LayerZero Labs]requiredDVNCount: 1optionalDVNs: []optionalDVNCount: 0
The sender-side DVN contract (0x282b3386571f7f794450d5789911a9804fa346b4) and the receiver-side DVN (0x589dedbd617e0cbcb916a9223f4d1300c294236b) both ran a one-of-one validator stack operated by LayerZero Labs. One forged signature was enough to make any cross-chain message look real. An entirely legitimate rsETH transaction had settled through the exact same DVN two days earlier, so this wasn’t a dormant testnet artifact; it was the live production setup.
On-chain analyst @senamakel was the first to post the OApp config publicly, roughly three hours after the drain. A follow-up reply from researcher @BranchM in the same thread clarified something important: the compromise wasn’t Unichain-specific. The DVN contract and its signing keys sit on Ethereum, so the attacker could have spoofed any source chain the adapter trusted. Changing the source EID from Unichain to Arbitrum would have produced the same outcome. The DVN itself was the single point of failure; the source chain was cosmetic.
LayerZero’s protocol wasn’t broken. The configuration KelpDAO (and whoever advised them) deployed was. A multi-DVN stack, typically two-of-three or three-of-five in production deployments handling significant value, would have required the attacker to compromise multiple independent verifier networks simultaneously. They only had to compromise one.
The Cashout: Unbacked Collateral Meets a Ready Lending Market
The attacker didn’t try to sell 116,500 rsETH into DEX liquidity. That would have crashed the price inside the first block and capped the extraction at whatever the curves could absorb. Instead, they did the thing every post-2024 exploit playbook describes: they used the tokens as collateral.
According to on-chain accounting compiled by Chaos Labs and cross-checked against the adapter events:
- On Aave V3/V4 Ethereum, the attacker supplied rsETH and borrowed 52,834 WETH.
- On Aave V3/V4 Arbitrum, they bridged a portion of the stolen supply and borrowed 29,782 WETH plus 821 wstETH.
- Smaller positions were opened on Compound V3 and Euler before those markets were frozen, adding an undisclosed additional slice of WETH/ETH borrows on top of the Aave numbers.
Total extracted value sits in the $200M–$236M range depending on exact execution prices and the wstETH mark. That’s the money that actually left the attacker’s address as borrowed liquidity. A portion of the borrowed funds was then routed through Tornado Cash (ZachXBT flagged the first mixer-bound hops within twenty minutes of the drain), while the rest sits in wallets on-chain sleuths are actively tracking.
KelpDAO’s operations multisig paused the rsETH contracts on Ethereum and every L2 where the adapter was deployed within 46 minutes of the initial mint. That pause stopped any follow-up forgery and prevented the attacker from minting a second tranche. It didn’t, and couldn’t, reverse the positions already opened on third-party lenders.
The Blast Radius: Who Actually Got Hit
The exploit was tightly contained at the smart-contract layer. Core EigenLayer pools, rsETH’s underlying backing, and LayerZero’s non-Kelp traffic were untouched. But rsETH had been so thoroughly composed into DeFi that the forced pause rippled outward immediately.
Aave took the brunt. rsETH was an accepted collateral asset across V3 and V4 instances on both Ethereum and Arbitrum. Within hours, Aave’s risk team froze every rsETH market and pushed a public message urging WETH suppliers to pull their liquidity while the situation was being scoped. Marc Zeller and Chaos Labs both confirmed the exploit itself didn’t touch any Aave contract. The risk is purely that the collateral backing the attacker’s ~$200M in borrows is now known to be worthless. The AAVE governance token traded off roughly 10% in the hours after the news broke, reflecting market uncertainty about how much of the deficit lands on token holders versus Umbrella stakers.
SparkLend, Fluid, and Upshift froze or paused rsETH positions on the same timeline. Compound V3 and Euler paused new rsETH borrows after the first attacker positions were opened.
Yield venues and structured products cut exposure the moment the news hit X:
- Ethena paused rsETH usage in its vaults.
- Yearn froze any vault with rsETH allocations.
- Pendle paused its rsETH PT/YT markets to stop mispriced trading during the chaos.
- Beefy froze rsETH-denominated strategies.
- Lombard Finance preemptively paused unrelated LayerZero LBTC routes “out of caution,” which tells you something about the current level of trust in OFT configurations industry-wide.
The knock-on damage runs deepest on the roughly 20 L2s and sidechains where rsETH was bridged. Because the minted supply on Ethereum is now partially unbacked, every wrapped derivative downstream is structurally impaired. Holders of rsETH on Arbitrum, Base, Mantle, Linea, and the other bridged chains are sitting on tokens that can no longer be confidently redeemed against a 1:1 claim on Ethereum escrow. Withdrawals are paused, liquidity has evacuated DEX pools, and any lending market on those chains that accepted wrapped rsETH as collateral is running into the same bad-debt math Aave is running into on mainnet, just at smaller scale.
Untouched: stETH, wstETH, rETH, cbETH, and every other major LST/LRT outside of KelpDAO. There is no systemic restaking contagion here. The failure is specific to one adapter, one DVN, one trust model.
The $177M That Aave Has to Cover
The Aave bad debt number being quoted by every serious on-chain analyst is roughly $177 million, sitting in the WETH reserves across V3 and V4 on Ethereum and Arbitrum. The range from different sources runs $177M–$196M depending on exactly how the partial liquidations and wstETH marks are accounted for. $177M is the median figure from Chaos Labs’ real-time reporting, and the one most post-mortems will anchor to.
That deficit is what Aave’s Umbrella module exists for.
Umbrella is the on-chain risk backstop that replaced the old Safety Module in mid-2025. The old Safety Module required a governance vote to slash stakers, which meant that in practice it had never actually been slashed. It was a theoretical insurance fund. Umbrella is different by design:
- Per-asset isolation. When you stake into Umbrella, you stake into a specific asset vault on a specific network. If you’re in the WETH Umbrella on Ethereum, you cover WETH deficits on that instance and nothing else. USDC stakers, GHO stakers, and Arbitrum vaults are untouched.
- Automated slashing. A contract called
UmbrellaCoremonitors realized bad debt in the corresponding Aave reserve. When the recorded deficit crosses a configurable threshold (the “deficit offset,” currently 100,000 units of the base asset, absorbed by the DAO Collector first),UmbrellaCorepermissionlessly callsslash()on the relevantStakeTokencontract. No governance vote, no delay. - Pro-rata dilution. Slashing burns a proportional share of the vault’s underlying assets and sends them to the Collector, which then repays the pool. Every staker’s share value drops by the same percentage. There are no individual liquidations.
- 20-day cooldown. You can’t exit the vault instantly. Once you request withdrawal, you remain fully exposed (and fully rewarded) for 20 days. This is the structural reason bank-run dynamics can’t short-circuit the backstop.
- Minimum assets floor. The contract refuses to drain the vault below a minimum level, and slashing is capped at the actual recorded deficit.
The combined WETH Umbrella vaults across Ethereum and Arbitrum were estimated at roughly $260M in TVL heading into the weekend. If the $177M deficit is recorded in full and split across those two vaults in proportion to their respective borrows, the slash ratio lands somewhere in the 60–70% range on the affected vaults. Stakers in the hit vaults lose roughly two-thirds of their position overnight, automatically, with no vote. The remaining third keeps earning the emissions and aWETH yield that was always the reason they were in the vault to begin with.
The DAO’s $100K deficit offset is effectively a rounding error against $177M. The only way the hit lands anywhere other than on Umbrella WETH stakers is if KelpDAO socializes a meaningful portion of the loss on its side, most likely by haircutting wrapped rsETH on bridged chains rather than touching the mainnet token, which would reduce Aave’s net exposure before slashing executes.
The Hierarchy of Pain
Strip away the dashboards and there’s a clean ranking of who actually absorbs the $292M.
Tier 1: Aave Umbrella WETH stakers on Ethereum and Arbitrum. They signed up to be the first-loss backstop in exchange for extra yield on top of the aWETH supply rate. That trade-off is now live. Loss is immediate, pro-rata, and confined to each specific per-network vault. Umbrella’s isolation means WETH stakers on Ethereum and WETH stakers on Arbitrum each absorb the deficit recorded on their own chain separately, and no other asset vault (USDC, GHO, etc.) is touched at all.
Tier 2: rsETH holders on bridged chains. An 18% supply inflation at the Ethereum layer translates to structurally impaired wrapped rsETH everywhere else. The recovery plan analysts are modeling, which KelpDAO has not yet officially committed to, is a selective socialization that haircuts the bridged-chain float while leaving Ethereum mainnet rsETH as close to whole as possible. The math and the legal optics both favor pushing losses onto the smaller, more diffuse holder base rather than the mainnet holders sitting on the largest pools and the loudest megaphones. Rough modeling puts a haircut on bridged positions somewhere around the 15–20% range, with the exact number depending on whether KelpDAO chooses to top up partial compensation from treasury.
Tier 3: Leveraged rsETH loopers. The standard LRT trade through April was borrowing WETH against rsETH on Aave or Spark to loop into more rsETH, earning the spread between staking yield (~2.5% blended) and ETH borrow rates. With rsETH frozen and ETH borrow rates spiking into the 8–9% range on the utilization crunch, these positions are burning equity by the hour and can’t be unwound without manual intervention. Some will end up undercollateralized during the unwind and generate secondary bad debt on whichever lender they sit on.
Tier 4: Aave WETH suppliers who aren’t in Umbrella. Only exposed if Umbrella’s floor is hit before the deficit is covered, which the current TVL math makes unlikely. The risk is real but capped. The incentive to withdraw is mostly about opportunity cost. Earning ~2% on WETH in a pool that’s frozen at high utilization while slashing executes is not a great place to be.
Tier 5: Everyone else. KelpDAO the DAO will likely spend treasury on partial compensation. LayerZero will eat reputational damage and is under obvious pressure to tighten its default DVN recommendations in the aftermath. Competing LRT protocols (Ether.fi, Renzo, Puffer) are not directly exposed, but the whole category is going to see users reassess bridge security, with an advantage to issuers already running multi-DVN or alternative messaging layers.
The Uncomfortable Questions
Why was a $1B protocol running a 1-of-1 DVN? LayerZero’s own security model gives applications full control over their verifier stack precisely so they can match it to the value they’re securing, and multi-DVN setups have been standard recommendation for any OFT handling significant value. Somebody at KelpDAO, at an advising firm, or at an integrator signed off on a single-DVN production config for a token that had grown to over $1B in TVL. That decision is now the story, not LayerZero’s protocol design.
Were the DVN keys actually compromised, or was the attestation logic bypassed some other way? Both KelpDAO and LayerZero have promised a root-cause post-mortem. The forensic question that matters for every other OFT in production is whether the LayerZero Labs DVN key material leaked, a signer was socially engineered, or a signature-forging bug existed upstream. The answer determines whether every other 1-of-1 OFT on LayerZero is currently exposed. And there are many.
How did audits miss this? They probably didn’t. The bridge adapter code is standard LayerZero OFT boilerplate; there’s nothing wrong with the contract. The fault is in the deployment configuration, which sits outside the usual scope of a Solidity audit. Config reviews are a much newer discipline, and this exploit is going to accelerate that market considerably.
What does Aave do about LRTs as collateral going forward? This is the second time in 2026 that an LRT collateral accepted on Aave has produced a nine-figure incident downstream of a non-Aave failure. Risk parameters will tighten, loan-to-value ratios on restaking collateral will come down, and the debate over whether LRTs should be isolation-mode-only on every major lending market is going to get louder.
What does this mean for LayerZero’s institutional pitch? LayerZero has been positioning itself as the messaging layer for traditional finance’s tokenization rollout. A production failure at this scale, in a configuration that was always within the application developer’s control rather than an inherent protocol flaw, is a setback, but it’s also a case study. If the post-mortem is clean, defaults tighten, and existing OFTs migrate to multi-DVN stacks quickly, the damage is contained. If it drags out, the institutional counterparty diligence LayerZero has spent two years building up takes a real hit.
The Lesson That Keeps Repeating
Every nine-figure DeFi incident of the last two years has the same structural shape. The core protocol does what it’s supposed to do. Some privileged component on the edge, whether that’s an off-chain signer, a bridge validator, an operator key, or a configuration that was supposed to be temporary, carries more trust than the rest of the stack was aware of. Somebody figures out where that concentration sits, and the full weight of the composed system falls through it.
The Resolv USR exploit in March was a single-signer SERVICE_ROLE that could mint arbitrary amounts of a stablecoin. The KelpDAO exploit is a single-verifier DVN that could authorize arbitrary cross-chain releases. Different protocol, different token class, identical architectural shape: one key, no meaningful check beyond it, and a downstream composability layer that had already assumed the thing behind the key was sound.
The LRT category in particular has spent the last year adding more layers (more chains, more wrappers, more lending integrations, more yield vaults that lend against vaults that lend against wrappers) on top of a base that is fundamentally a three-way trust assumption between the staker, the restaker, and the bridge. Each additional layer compounds yield by a handful of basis points. Each additional layer also compounds the attack surface in ways that are hard to price. The rsETH supply on the 20 bridged chains wasn’t a feature. It was a liability that grew quietly until one forged packet turned it all into bad debt.
The practical takeaway for anyone actually using this stuff is narrow and boring: before you treat a bridged LRT as interchangeable with its mainnet counterpart, look at the bridge’s verifier configuration. Lenders integrating LRTs as collateral have to reckon with a simple fact: the counterparty isn’t the LRT issuer alone. It’s the LRT issuer plus whatever messaging stack sits between mainnet and wherever the wrapped token shows up. At the ecosystem level, the boring parts of security (key management, config reviews, multi-party attestation) are where the next nine-figure incident is going to come from too. Until someone finally makes the boring parts the default.
Aave will recover. Umbrella stakers will take the hit they volunteered for, and the system will prove out the thesis that automated, isolated, real-money backstops are better than governance-gated ones. rsETH will either migrate to a multi-DVN stack or lose meaningful share to the LRT competitors that already run one. LayerZero will quietly tighten its defaults. And the next exploit will come from whichever protocol hasn’t yet asked the question: “what single key is currently trusted to authorize nine figures on our system?”
That’s the question every DeFi product owner should be writing down today.
