On April 18, 2026 at 17:35 UTC, attackers drained 116,500 rsETH (restaked ETH tokens worth roughly $292 million) from Kelp DAO's cross-chain bridge infrastructure, which runs on the LayerZero messaging protocol. The stolen assets were spread across more than 20 blockchain networks including Base, Arbitrum, Linea, and Blast. LayerZero has attributed the attack to North Korea's Lazarus Group, an assessment corroborated by CryptoBriefing. The exploit surpasses Drift Protocol's $285 million loss on April 1 as the largest DeFi hack of the year. The drain began on April 18 UTC and was reported as occurring on April 19 in certain time zones, reflecting the exploit's cross-jurisdictional timeline.

---

How the Attack Worked

rsETH is a Liquid Restaking Token issued by Kelp DAO as a receipt for ETH deposited through EigenLayer, and it is this token that attackers targeted in the breach.

The breach did not involve a flaw in Kelp's smart contracts. Instead, attackers targeted the infrastructure that Kelp used to verify messages between blockchains. According to Halborn's post-incident analysis, the attackers first poisoned two RPC nodes (the data servers LayerZero's verification system relied on for cross-chain validation), then knocked legitimate nodes offline using a distributed denial-of-service attack. With only attacker-controlled nodes remaining active, fraudulent transfer authorizations were injected into the system, releasing rsETH into attacker wallets. Malware then deleted itself and erased local logs to obscure the trail.

The core vulnerability was Kelp's "1-of-1 DVN" configuration. In LayerZero's architecture, a Decentralized Verifier Network (DVN) approves cross-chain messages before assets move. A 1-of-1 setup means a single node holds that approval authority with no independent validator to check it. Kelp's security team triggered an emergency pause at 18:21 UTC, 46 minutes after the initial drain, blocking two subsequent attempts that would have added roughly $95 million in losses. Arbitrum has since frozen $71 million in ETH connected to the exploit.

---

A Public Dispute Over Who Set the Trap

LayerZero co-founder Bryan Pellegrino stated that Kelp chose the 1-of-1 configuration and that a properly secured setup would have required consensus across multiple independent validators. LayerZero also issued a direct statement on the incident: "We're fully aware of the rsETH exploit and have been in active remediation with the team since the incident and continue to monitor."

Kelp DAO replied that the single-verifier setup is what LayerZero's own documentation describes as the default configuration for any new token deployment, and that the setup was explicitly confirmed as appropriate when Kelp expanded to Layer 2 networks.

Kelp also noted that approximately 40 percent of all protocols currently deployed on LayerZero use the same 1-of-1 configuration, framing the issue as a systemic standard rather than an isolated mistake. Chainlink community liaison Zach Rynes criticized LayerZero for "throwing KelpDAO under the bus" for trusting a setup that LayerZero itself ships as the default, willingly supports, and only blocked after getting hacked. Yearn Finance developer banteg confirmed through a review of LayerZero's public deployments that single-source verification is indeed the default on multiple chains.

Community reaction was fierce. One pseudonymous developer drew on a roller-coaster analogy to characterize the sector's approach to security, arguing that shipping unsafe defaults and blaming users when they fail is the defining pattern of the current DeFi era. Justin Sun made a public on-chain appeal to the attacker to negotiate a return of funds. Josu San Martin described the situation facing users who had borrowed stablecoins against their now-frozen rsETH collateral as "a full-on run on Aave." Industry publication The Block characterized the episode as evidence of an "industry of clowns," a framing that cuts sharply but reflects a genuine systemic frustration: the 1-of-1 DVN default that enabled this exploit was not a secret or obscure edge case. It was the standard starting point for any new LayerZero deployment.

Ari Redbord of TRM Labs offered a blunt structural assessment: "When the security model of a $300 million issuer reduces to one validator's signing key, the attack surface stops being technical and becomes structural."

---

Contagion Hits Aave, $13 Billion Exits DeFi

The stolen rsETH did not sit idle. Attackers deposited it into Aave V3 as collateral and borrowed an estimated $190 to $196 million in WETH and wstETH against it, creating a block of effectively unbacked debt on one of DeFi's largest lending platforms. The scale of the exposure becomes clearer in context: Aave carried $17.82 billion in outstanding borrows at the time of the exploit, with Ethereum accounting for $14.24 billion of that total, and WETH representing 39.49 percent of all active Aave loans. Unbacked collateral at that volume threatened to destabilize a significant share of the platform's core activity.

Aave founder Stani Kulechov confirmed that Aave's own contracts were not compromised, but Aave's incident report identified potential bad debt ranging from $123 million (spread across all rsETH holders) to $230 million (concentrated in Layer 2 deployments). Aave V3 and V4, SparkLend, Fluid, Upshift, Lido Finance's earnETH product, Ethena OFT bridges, and several other protocols froze their rsETH markets. Aave's total value locked fell from roughly $26.4 billion before the hack to between $17.7 and $20 billion within 48 hours, and the AAVE token dropped between 16 and 20 percent. Across all of DeFi, total value locked shed more than $13 billion in two days.

---

Why This Matters for Users in Nigeria, Kenya, India, and Beyond

Kelp DAO was co-founded by Amitej Gajjala and Dheeraj Borra, both Indian entrepreneurs based in Bengaluru who also built Stader Labs, one of India's most prominent DeFi infrastructure projects. The exploit lands hard within the South Asian developer and restaking community that has grown up around EigenLayer, the underlying protocol Kelp is built on. According to CoinLaw, institutional DeFi adoption across the Asia-Pacific region rose from 27 percent to 69 percent between 2024 and 2025, a trajectory that makes clear how much is now at stake for regional participants.

The consequences extend further. Nigerian and Kenyan outlets including BitKE, BusinessDay Nigeria, and Economy Post Nigeria all covered the event independently, reflecting how central Aave has become to financial life in these markets. Across Africa, users increasingly rely on DeFi lending protocols to access dollar-denominated yield that traditional banking does not offer. A large-scale confidence shock carries no safety net in these contexts: there is no deposit insurance, no consumer protection mechanism, and limited options for users caught in a withdrawal freeze.

The state-sponsored nature of the attack adds a dimension that is particularly consequential for frontier-market retail users. Most participants in Nigerian, Kenyan, and South Asian DeFi markets lack the resources or information infrastructure to anticipate or hedge against attacks orchestrated by a nation-state actor like the Lazarus Group. Attribution to North Korea is not an abstraction in these contexts. It is a reminder that the adversaries targeting DeFi infrastructure operate with capabilities and objectives far beyond those of ordinary cybercriminals, and that the users most exposed to the fallout are often those with the fewest alternatives.

---

What Builders Should Do Now

The Halborn analysis and LayerZero's own statements point toward concrete steps for developers working on cross-chain applications in Lagos, Bengaluru, Nairobi, Lahore, and every city where new DeFi infrastructure is being built.

Any bridge handling significant value should require consensus from multiple independent DVNs rather than relying on a single verifier. Teams should deploy real-time monitoring for anomalous mint and burn activity: in the Kelp DAO incident, anomalous rsETH minting was detectable on-chain before the full drain completed, and faster alerting would have narrowed the loss window considerably. Projects should establish fast-acting pauser multisigs rather than single-key emergency controls, reducing the time attackers have to operate after a breach is detected. Teams should stress-test every collateral token for the possibility that it becomes unbacked and ensure downstream lending protocols receive immediate notification if a token's integrity is in doubt. Finally, no protocol should treat a vendor's default configuration as a security guarantee: defaults exist to simplify deployment, not to protect user funds.

Total DeFi losses through mid-April 2026 now exceed $750 million, with cross-chain bridges accounting for $2.8 billion in cumulative losses since 2022. The Kelp DAO exploit is the sharpest illustration yet that insecure default configurations are not a niche developer problem. DeFi now serves approximately 7.8 million users globally, a figure that grew 26 percent year-on-year as of 2025, and for the millions in frontier markets who treat these protocols as a banking alternative, the cost of that negligence is real and immediate.