At 17:35 UTC on Saturday, April 18, 2026, someone minted 116,500 rsETH on Ethereum mainnet that had no backing behind it. That’s roughly 18% of KelpDAO’s entire circulating supply, worth about $292 million at the time the forged LayerZero packet cleared. Within minutes it was sitting as collateral on Aave, borrowing WETH against itself. Within an hour it had produced the largest single DeFi extraction of 2026 so far.
This piece was written in the first evening after the drain. KelpDAO and LayerZero have both promised post-mortems; final numbers on bad debt, compensation, and any supply migration will shift over the coming days. Treat the specific figures below as the best on-chain and analyst estimates available as of April 18–19, 2026.
The restaking contracts didn’t fail. The EigenLayer delegations are still intact. Mainnet rsETH is still backed by the legitimate user deposits sitting in KelpDAO’s node delegators. The core product was fine. What broke was the bridge — a LayerZero OFT adapter running on a one-of-one validator stack, which let a single forged signature instruct the adapter’s mainnet escrow to release tokens that shouldn’t have moved. Everything downstream is composability fallout.
Here is what happened, what broke, and who actually pays.
What KelpDAO Is, and Why the Bridge Mattered
KelpDAO is one of the larger liquid restaking token (LRT) protocols built on EigenLayer. Users deposit ETH or a whitelisted LST, the protocol delegates to a set of EigenLayer operators, and users receive rsETH: a token representing a claim on the restaked position plus accrued yield. By April, rsETH had crossed $1 billion in TVL and was integrated as collateral across most of the major lending markets and yield venues in DeFi.
rsETH lives natively on Ethereum, where the restaking contracts sit. But its utility depends on being everywhere: Arbitrum, Base, Mantle, Unichain, Linea, and roughly a dozen other L2s and sidechains. KelpDAO uses a LayerZero OFT (Omnichain Fungible Token) adapter to move rsETH across chains. The adapter is the bridge. When rsETH leaves Ethereum, it’s locked in an escrow contract on mainnet, and a matching amount is minted on the destination chain. When a cross-chain message comes back, the escrow releases.
That escrow release is what got spoofed.
The Attack: A Single Forged lzReceive Call
The entire drain happened in one transaction:
0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222
The call landed on LayerZero’s EndpointV2 contract at 0x1a44076050125825900e736c501f859c50fE728c with a forged origin packet claiming to come from source Endpoint ID (EID) 30320. The endpoint passed the payload to KelpDAO’s rsETH OFT adapter at 0x85d456B2DfF1fd8245387C0BfB64Dfb700e98Ef3. The adapter, trusting the message, released 116,500 rsETH from escrow into attacker address 0x8B1b6c9A6DB1304000412dd21Ae6A70a82d60D3b. One Transfer, one OFTReceived, one PacketDelivered. Roughly $292 million.
The forgery worked because the adapter’s security stack was configured to accept the attestation of a single verifier. LayerZero’s OApp configuration model lets the application developer choose how many “DVNs” (Decentralized Verifier Networks) must sign off on an incoming message before it’s delivered, plus any optional verifiers. For the rsETH OFT, both sender-side and receiver-side configs read the same way:
requiredDVNs: [LayerZero Labs]requiredDVNCount: 1optionalDVNs: []optionalDVNCount: 0
The sender-side DVN contract (0x282b3386571f7f794450d5789911a9804fa346b4) and the receiver-side DVN (0x589dedbd617e0cbcb916a9223f4d1300c294236b) both ran a one-of-one validator stack operated by LayerZero Labs. One forged signature was enough to make any cross-chain message look real. An entirely legitimate rsETH transaction had settled through the exact same DVN two days earlier, so this wasn’t a dormant testnet artifact; it was the live production setup.
On-chain analyst @senamakel was the first to post the OApp config publicly, roughly three hours after the drain. A follow-up reply from researcher @BranchM in the same thread clarified something important: the compromise wasn’t Unichain-specific. The DVN contract and its signing keys sit on Ethereum, so the attacker could have spoofed any source chain the adapter trusted. Changing the source EID from Unichain to Arbitrum would have produced the same outcome. The DVN itself was the single point of failure; the source chain was cosmetic.
LayerZero’s protocol wasn’t broken. The configuration KelpDAO (and whoever advised them) deployed was. A multi-DVN stack, typically two-of-three or three-of-five in production deployments handling significant value, would have required the attacker to compromise multiple independent verifier networks simultaneously. They only had to compromise one.
The Cashout: Unbacked Collateral Meets a Ready Lending Market
The attacker didn’t try to sell 116,500 rsETH into DEX liquidity. That would have crashed the price inside the first block and capped the extraction at whatever the curves could absorb. Instead, they did the thing every post-2024 exploit playbook describes: they used the tokens as collateral.
According to on-chain accounting compiled by Chaos Labs and cross-checked against the adapter events:
- On Aave V3/V4 Ethereum, the attacker supplied rsETH and borrowed 52,834 WETH.
- On Aave V3/V4 Arbitrum, they bridged a portion of the stolen supply and borrowed 29,782 WETH plus 821 wstETH.
- Smaller positions were opened on Compound V3 and Euler before those markets were frozen, adding an undisclosed additional slice of WETH/ETH borrows on top of the Aave numbers.
Total extracted value sits in the $200M–$236M range depending on exact execution prices and the wstETH mark. That’s the money that actually left the attacker’s address as borrowed liquidity. A portion of the borrowed funds was then routed through Tornado Cash (ZachXBT flagged the first mixer-bound hops within twenty minutes of the drain), while the rest sits in wallets on-chain sleuths are actively tracking.
KelpDAO’s operations multisig paused the rsETH contracts on Ethereum and every L2 where the adapter was deployed within 46 minutes of the initial mint. That pause stopped any follow-up forgery and prevented the attacker from minting a second tranche. It didn’t, and couldn’t, reverse the positions already opened on third-party lenders.
The Blast Radius: Who Actually Got Hit
The exploit was tightly contained at the smart-contract layer. Core EigenLayer pools, rsETH’s underlying backing, and LayerZero’s non-Kelp traffic were untouched. But rsETH had been so thoroughly composed into DeFi that the forced pause rippled outward immediately.
Aave took the brunt. rsETH was an accepted collateral asset across V3 and V4 instances on both Ethereum and Arbitrum. Within hours, Aave’s risk team froze every rsETH market and pushed a public message urging WETH suppliers to pull their liquidity while the situation was being scoped. Marc Zeller and Chaos Labs both confirmed the exploit itself didn’t touch any Aave contract. The risk is purely that the collateral backing the attacker’s ~$200M in borrows is now known to be worthless. The AAVE governance token traded off roughly 10% in the hours after the news broke, reflecting market uncertainty about how much of the deficit lands on token holders versus Umbrella stakers.
SparkLend, Fluid, and Upshift froze or paused rsETH positions on the same timeline. Compound V3 and Euler paused new rsETH borrows after the first attacker positions were opened.
Yield venues and structured products cut exposure the moment the news hit X:
- Ethena paused rsETH usage in its vaults.
- Yearn froze any vault with rsETH allocations.
- Pendle paused its rsETH PT/YT markets to stop mispriced trading during the chaos.
- Beefy froze rsETH-denominated strategies.
- Lombard Finance preemptively paused unrelated LayerZero LBTC routes “out of caution,” which tells you something about the current level of trust in OFT configurations industry-wide.
The knock-on damage runs deepest on the roughly 20 L2s and sidechains where rsETH was bridged. Because the minted supply on Ethereum is now partially unbacked, every wrapped derivative downstream is structurally impaired. Holders of rsETH on Arbitrum, Base, Mantle, Linea, and the other bridged chains are sitting on tokens that can no longer be confidently redeemed against a 1:1 claim on Ethereum escrow. Withdrawals are paused, liquidity has evacuated DEX pools, and any lending market on those chains that accepted wrapped rsETH as collateral is running into the same bad-debt math Aave is running into on mainnet, just at smaller scale.
Untouched: stETH, wstETH, rETH, cbETH, and every other major LST/LRT outside of KelpDAO. There is no systemic restaking contagion here. The failure is specific to one adapter, one DVN, one trust model.
The $177M Bad Debt vs a $56M Umbrella
The Aave bad debt number being quoted by every serious on-chain analyst is roughly $177 million, sitting in the WETH reserves across V3 and V4 on Ethereum and Arbitrum, plus a small wstETH slice on Arbitrum. The range from different sources runs $177M–$196M depending on exactly how partial liquidations and wstETH marks are accounted for. $177M is the median figure from Chaos Labs’ real-time reporting, and the one most post-mortems will anchor to.
That deficit is what Aave’s Umbrella module was built for. The awkward part is that Umbrella currently only runs on Ethereum mainnet.
Umbrella is the on-chain risk backstop that replaced the old Safety Module in mid-2025. The old Safety Module required a governance vote to slash stakers, which meant that in practice it had never actually been slashed. It was a theoretical insurance fund. Umbrella is different by design:
- Per-asset, per-network isolation. Stakers deposit into a specific asset vault on a specific network. The WETH vault on Ethereum covers WETH deficits on Aave Ethereum and nothing else. USDC and GHO stakers are untouched.
- Ethereum-only, for now. Umbrella launched on mainnet in mid-2025 and has not yet been deployed to Arbitrum, Base, or any other network. Bad debt recorded on a non-Ethereum Aave instance falls back to legacy cover-of-last-resort: the DAO Collector first, then AAVE token issuance via governance, then pro-rata socialization onto suppliers if those prove insufficient.
-
Automated slashing.
UmbrellaCoremonitors realized bad debt in the corresponding Aave reserve. When the recorded deficit crosses a configurable threshold (the “deficit offset,” currently 100,000 units of the base asset, absorbed by the DAO Collector first),UmbrellaCorepermissionlessly callsslash()on the relevantStakeTokencontract. No governance vote, no delay. - Pro-rata dilution. Slashing burns a proportional share of the vault’s underlying assets and sends them to the Collector, which repays the pool. Every staker’s share value drops by the same percentage.
- 20-day cooldown. You can’t exit instantly. Once you request withdrawal, you remain fully exposed (and fully rewarded) for 20 days. This is the structural reason bank-run dynamics can’t short-circuit the backstop.
- Minimum assets floor. The contract refuses to drain the vault below a minimum level, and slashing is capped at the actual recorded deficit.
The Ethereum WETH Umbrella vault was carrying roughly $56M in TVL heading into the weekend. The attacker’s borrows split roughly 52,834 WETH on Ethereum versus 29,782 WETH and 821 wstETH on Arbitrum, which maps the $177M deficit to something like ~$113M on Ethereum WETH, ~$64M on Arbitrum WETH, and a few million in Arbitrum wstETH. The Ethereum slice alone is roughly twice the size of the Umbrella vault standing against it.
The slash math is therefore brutal and simple. Umbrella gets fully drained — the entire $56M vault slashed down to its minimum-assets floor — and still leaves roughly $55M of residual WETH bad debt on Ethereum uncovered. The Arbitrum deficit, roughly $67M combined across WETH and wstETH, has no Umbrella backstop at all and flows directly to DAO-level mechanisms. Net shortfall against Aave’s existing Umbrella capacity lands somewhere around $120M even after the Ethereum vault is wiped to the floor.
The DAO’s $100K deficit offset is a rounding error at that scale. The Collector balance helps, but not enough. That leaves two real levers for the residual: governance-authorized AAVE issuance (minting tokens, selling them, and pushing the proceeds into the Collector — the classic MakerDAO-style dilution playbook), or direct haircuts on WETH suppliers on the affected instances. AAVE issuance is the politically easier path and the one governance chatter is converging on, but the dilution burden shrinks meaningfully only if KelpDAO socializes a portion of the loss on its side, most likely by haircutting wrapped rsETH on bridged chains rather than touching the mainnet token.
The Hierarchy of Pain
Strip away the dashboards and there’s a clean ranking of who actually absorbs the $292M.
Tier 1: Aave Umbrella WETH stakers on Ethereum. They signed up to be the first-loss backstop in exchange for extra yield on top of the aWETH supply rate. That trade-off is now live, and not partially — the Ethereum WETH deficit is roughly twice the size of the vault, so the entire $56M gets slashed down to its minimum-assets floor. Loss is immediate, pro-rata, automatic, and close to total. Umbrella stakers in other assets (USDC, GHO) are untouched because of per-asset isolation.
Tier 2: AAVE token holders. Once Umbrella is exhausted, the ~$120M combined residual (Ethereum WETH remainder plus the entire Arbitrum deficit, which has no Umbrella backstop) has to come from somewhere. Governance is already discussing AAVE issuance as the primary cover mechanism, which dilutes existing holders. The ~10% AAVE drop in the hours after the exploit is the market pricing in exactly this scenario.
Tier 3: rsETH holders on bridged chains. An 18% supply inflation at the Ethereum layer translates to structurally impaired wrapped rsETH everywhere else. The recovery plan analysts are modeling, which KelpDAO has not yet officially committed to, is a selective socialization that haircuts the bridged-chain float while leaving Ethereum mainnet rsETH as close to whole as possible. The math and the legal optics both favor pushing losses onto the smaller, more diffuse holder base rather than the mainnet holders sitting on the largest pools and the loudest megaphones. Rough modeling puts a haircut on bridged positions somewhere around the 15–20% range, with the exact number depending on whether KelpDAO chooses to top up partial compensation from treasury.
Tier 4: Leveraged rsETH loopers. The standard LRT trade through April was borrowing WETH against rsETH on Aave or Spark to loop into more rsETH, earning the spread between staking yield (~2.5% blended) and ETH borrow rates. With rsETH frozen and ETH borrow rates spiking into the 8–9% range on the utilization crunch, these positions are burning equity by the hour and can’t be unwound without manual intervention. Some will end up undercollateralized during the unwind and generate secondary bad debt on whichever lender they sit on.
Tier 5: Aave WETH suppliers on Arbitrum. This is the tier Aave’s risk team was most worried about when they pushed the “withdraw” message on Friday. Arbitrum has no Umbrella backstop, so the DAO response determines whether suppliers there get made whole via AAVE issuance or forced to share the loss pro-rata. The longer governance takes, and the smaller KelpDAO’s socialization ends up being, the higher the probability that some portion of the Arbitrum hit lands on suppliers directly. Ethereum WETH suppliers face the same risk at a smaller scale only if AAVE issuance proves politically unworkable.
Tier 6: Everyone else. KelpDAO the DAO will likely spend treasury on partial compensation. LayerZero will eat reputational damage and is under obvious pressure to tighten its default DVN recommendations in the aftermath. Competing LRT protocols (Ether.fi, Renzo, Puffer) are not directly exposed, but the whole category is going to see users reassess bridge security, with an advantage to issuers already running multi-DVN or alternative messaging layers.
The Uncomfortable Questions
Why was a $1B protocol running a 1-of-1 DVN? LayerZero’s own security model gives applications full control over their verifier stack precisely so they can match it to the value they’re securing, and multi-DVN setups have been standard recommendation for any OFT handling significant value. Somebody at KelpDAO, at an advising firm, or at an integrator signed off on a single-DVN production config for a token that had grown to over $1B in TVL. That decision is now the story, not LayerZero’s protocol design.
Were the DVN keys actually compromised, or was the attestation logic bypassed some other way? Both KelpDAO and LayerZero have promised a root-cause post-mortem. The forensic question that matters for every other OFT in production is whether the LayerZero Labs DVN key material leaked, a signer was socially engineered, or a signature-forging bug existed upstream. The answer determines whether every other 1-of-1 OFT on LayerZero is currently exposed. And there are many.
How did audits miss this? They probably didn’t. The bridge adapter code is standard LayerZero OFT boilerplate; there’s nothing wrong with the contract. The fault is in the deployment configuration, which sits outside the usual scope of a Solidity audit. Config reviews are a much newer discipline, and this exploit is going to accelerate that market considerably.
What does Aave do about LRTs as collateral going forward? This is the second time in 2026 that an LRT collateral accepted on Aave has produced a nine-figure incident downstream of a non-Aave failure. Risk parameters will tighten, loan-to-value ratios on restaking collateral will come down, and the debate over whether LRTs should be isolation-mode-only on every major lending market is going to get louder.
What does this mean for LayerZero’s institutional pitch? LayerZero has been positioning itself as the messaging layer for traditional finance’s tokenization rollout. A production failure at this scale, in a configuration that was always within the application developer’s control rather than an inherent protocol flaw, is a setback, but it’s also a case study. If the post-mortem is clean, defaults tighten, and existing OFTs migrate to multi-DVN stacks quickly, the damage is contained. If it drags out, the institutional counterparty diligence LayerZero has spent two years building up takes a real hit.
The Lesson That Keeps Repeating
Every nine-figure DeFi incident of the last two years has the same structural shape. The core protocol does what it’s supposed to do. Some privileged component on the edge, whether that’s an off-chain signer, a bridge validator, an operator key, or a configuration that was supposed to be temporary, carries more trust than the rest of the stack was aware of. Somebody figures out where that concentration sits, and the full weight of the composed system falls through it.
The Resolv USR exploit in March was a single-signer SERVICE_ROLE that could mint arbitrary amounts of a stablecoin. The KelpDAO exploit is a single-verifier DVN that could authorize arbitrary cross-chain releases. Different protocol, different token class, identical architectural shape: one key, no meaningful check beyond it, and a downstream composability layer that had already assumed the thing behind the key was sound.
The LRT category in particular has spent the last year adding more layers (more chains, more wrappers, more lending integrations, more yield vaults that lend against vaults that lend against wrappers) on top of a base that is fundamentally a three-way trust assumption between the staker, the restaker, and the bridge. Each additional layer compounds yield by a handful of basis points. Each additional layer also compounds the attack surface in ways that are hard to price. The rsETH supply on the 20 bridged chains wasn’t a feature. It was a liability that grew quietly until one forged packet turned it all into bad debt.
The practical takeaway for anyone actually using this stuff is narrow and boring: before you treat a bridged LRT as interchangeable with its mainnet counterpart, look at the bridge’s verifier configuration. Lenders integrating LRTs as collateral have to reckon with a simple fact: the counterparty isn’t the LRT issuer alone. It’s the LRT issuer plus whatever messaging stack sits between mainnet and wherever the wrapped token shows up. At the ecosystem level, the boring parts of security (key management, config reviews, multi-party attestation) are where the next nine-figure incident is going to come from too. Until someone finally makes the boring parts the default.
Aave will recover. Umbrella stakers on Ethereum will take the full hit they volunteered for, the DAO will vote AAVE issuance to cover the residual the vault couldn’t absorb, and the event will accelerate Umbrella’s expansion to every network that wasn’t covered this weekend. rsETH will either migrate to a multi-DVN stack or lose meaningful share to the LRT competitors that already run one. LayerZero will quietly tighten its defaults. And the next exploit will come from whichever protocol hasn’t yet asked the question: “what single key is currently trusted to authorize nine figures on our system?”
That’s the question every DeFi product owner should be writing down today.
