In the cutthroat world of decentralized finance (DeFi), where billions move at the click of a smart contract, vulnerabilities don’t just sting—they can cascade like dominoes across chains.
On April 18, 2026, Kelp DAO—a prominent liquid restaking protocol—fell victim to what quickly became the largest DeFi exploit of the year so far. This led to roughly $292 million in unbacked rsETH tokens minted through a sophisticated attack on its LayerZero-powered cross-chain bridge.
With this becoming the year’s largest hack so far, its fallout hit hardest at Aave, the blue-chip lending borrowing giant, where panicked withdrawals drained tens of billions in liquidity and threatened bad debt estimates ranging from $124 million to $230 million.
Yet, instead of the usual finger-pointing and slow-motion governance debates that plague crypto crises, something different happened. Within days, major protocols and figures rallied under a banner called “DeFi United,” pledging tens of thousands of ETH to plug the hole and stabilize the system.
This isn’t just another hack recap. It’s a story of fragility in cross-chain infrastructure meeting rare industry maturity and a test of whether DeFi can truly self-heal when the stakes are this high.
The exploit: A bridge too far
In the Kelp DAO exploit, attackers are widely linked by blockchain analysts to North Korea’s Lazarus Group (specifically a state sponsored subgroup known for crypto ops). This breach was not on Kelp’s core contracts directly, but it targeted the bridge’s reliance on LayerZero’s decentralized verifier network.
By compromising RPC nodes feeding data to a verifier and using DDoS tactics to force failover, they forged a cross-chain message. This tricked the system into minting approximately 116,500 rsETH—about 18% of the token’s circulating supply—without any corresponding burn or collateral on the source chain (Unichain to Ethereum route).
Kelp’s team spotted the anomaly quickly. They paused contracts within about 46 minutes, blacklisted addresses, and blocked follow-up attempts that could have drained another $95 million. But the damage was done.
The attacker deposited much of the phantom rsETH as collateral on Aave and other platforms, borrowing approximately $200 million in WETH and other assets before positions were frozen.
In response, rsETH markets on Aave were frozen across V3 deployments on Ethereum, Arbitrum, Base, Mantle, and Linea. Liquidity evaporated—Aave’s TVL plunged from peaks near $45 billion toward the $28–30 billion range amid a broader withdrawal wave. Borrowing rates spiked as suppliers pulled back.
For users, rsETH—meant to represent restaked ETH yielding from EigenLayer and other networks—suddenly carried counterparty risk. The token depegged, and redemption pressure mounted on Kelp itself.
DeFi unites to quantify the hole
Aave’s April 20 incident report laid out two grim scenarios. If losses were socialized across all rsETH holders, bad debt on Aave could hit about $124 million (roughly 15% haircut). If isolated to L2s, it ballooned to $230 million, hammering smaller reserves on chains like Mantle (71% shortfall in one model) and Arbitrum.
Various on-chain trackers pegged the effective “hole” at around 112,204 rsETH, equivalent to roughly 118,400 ETH. After accounting for seized funds and excess tokens, the net gap needing fresh capital sat near 68,900–99,600 ETH in some estimates before major pledges rolled in.
Arbitrum’s Security Council moved swiftly, freezing and seizing 30,766 ETH tied to the attacker— a rare on-chain intervention that clawed back meaningful value.
What set this crisis apart was the speed and breadth of the response. Aave service providers and partners dubbed the effort “DeFi United,” channeling donations and loans into a relief vehicle to re-back rsETH, unfreeze markets, and prevent cascading insolvencies.
Pledges poured in, and as of writing these are the updated details:
- Mantle, an Ethereum L2, proposed the heavyweight contribution: up to 30,000 ETH as a loan facility to Aave DAO at a variable rate (Lido yield +1% APR) over 36 months, with early repayment allowed. The proposal, backed by Bybit in discussions, aims to generate treasury yield while stabilizing the ecosystem.
- Ether.fi offered up to 5,000 ETH from its DAO treasury.
- Aave founder Stani Kulechov personally committed 5,000 ETH.
- Lido proposed up to 2,500 stETH via its Labs foundation.
- Golem (Foundation and Factory) stepped up with 1,000 ETH.
- Aave CTO Ernesto leaned in with 100 ETH.
Other assumed or smaller commitments came from Ethena, LayerZero, Kraken/Ink, and excess rsETH recovered from Aave/Compound pools (estimated ~15k ETH equivalent).
By April 24, 4:30 PM IST, total commitments exceeded 43,600 ETH—over $101 million at prevailing prices. Trackers showed the remaining gap narrowed to around 23,600 ETH, though exact figures depend on governance approvals and final mechanics.
Appreciating moves, Kelp DAO shared a post on X that its recovery progress, in addressing the rsETH shortfall following the April 18 LayerZero bridge exploit, created an initial 163,200 ETH gap in backing for the liquid restaking token.
“rsETH holders come first, and that’s been our priority since day 1. We will continue sharing updates as further commitments are confirmed,” Kelp DAO said.
These aren’t outright gifts in every case. Many are structured as loans or conditional aid, reflecting the pragmatic, yield-conscious nature of DeFi participants. The funds target a dedicated vehicle to absorb the shortfall directly, shielding suppliers and minimizing bad debt crystallization.
Why does this (and the lingering risks) matter?
The coordination signals growing maturity. Past exploits often left protocols siloed, watching contagion spread. Here, leaders moved in days, not weeks. “DeFi United is one of the most positive coordinated responses we’ve seen,” one community voice noted amid the trackers.
Yet skeptics abound. Governance votes on proposals like Mantle’s and Lido’s are pending. Questions swirl around ultimate loss allocation: Should Kelp rsETH holders take a haircut? Will bridges ever be trusted at this scale? LayerZero faced scrutiny over its verifier setup, though it supported recovery efforts.
Broader DeFi TVL has taken a hit, with sector losses surpassing $600 million in recent weeks including prior incidents. Aave’s Umbrella security module and reserves offer some buffers, but manual governance handling is likely.
For everyday users, the episode underscores composability’s double edge. Restaking and bridges amplify yields but multiply attack surfaces. Lazarus-linked actors continue laundering via cross-chain tools like THORChain, reminding everyone that stolen funds rarely vanish—they evolve.
The road ahead
As of April 24, Aave has partially unfrozen some WETH reserves while keeping LTV at zero for rsETH. Kelp remains paused, with redemption mechanics under discussion. The relief vehicle’s structure will determine how cleanly markets recover.
Mantle’s proposal highlights an interesting dynamic: L2s stepping up to backstop the L1-centric lending giant, potentially earning yield and burning tokens in return. If successful, it could set a precedent for mutual defense pacts in DeFi.
This isn’t the end of bridge hacks or restaking risks. But the rapid mobilization—pledges, freezes, pauses, and public trackers—shows an ecosystem learning from pain. In a space often criticized for chaos, DeFi United offers a glimpse of resilience: protocols acting not just in self-interest, but with an eye on collective stability.
Whether the gap closes fully, governance aligns, and trust rebounds remains to be seen. For now, the hole is shrinking, one pledged ETH at a time.
Also read: KelpDAO, Bybit, Ronin: Lazarus Group’s Crypto Hacks Behind a $7.3B Heist Empire
