Kelp DAO Hacked for $292 Million: LayerZero Cross-Chain Bridge Attacked with Forged Messages, Biggest DeFi Event of 2026

Kelp DAO’s re-staking protocol was hacked in Taiwan time in the early hours of April 19. According to a CoinDesk report and tracking by on-chain security firm Cybers, the attacker used a cross-chain bridge connector deployed by Kelp on LayerZero to forge cross-chain messages and trigger a contract release of 116,500 rsETH, worth about $292 million, or nearly 18% of the rsETH circulating supply. This loss exceeded the April early-month Drift Protocol incident of $285 million, making it the largest DeFi security event of 2026.

Forged cross-chain messages bypass bridge connector verification

Kelp DAO’s rsETH is native to the Ethereum mainnet and is deployed via LayerZero’s cross-chain messaging layer across more than 20 other chains. The attacker launched the attack at around 2:50 PM Eastern Time on April 18, using forged cross-chain packets to make the mainnet adapter contract believe that “valid instructions came from another chain,” thereby releasing 116,500 rsETH to an address controlled by the attacker.

After obtaining the rsETH, the attacker further staked the tokens on Aave V3, borrowed WETH, and then transferred the assets across chains to Arbitrum in batches, ultimately laundering the funds through the mixer Tornado Cash. About 46 minutes after the attack, Kelp triggered an emergency pause via its multisig signers; two subsequent attack attempts involving 40k rsETH each (totaling about $100 million) were reverted because the contract was frozen.

Aave urgently freezes the rsETH market

In a community post, Aave founder Stani Kulechov said, “The rsETH market on Aave V3 and Aave V4 has been frozen. The Aave contracts themselves have not been attacked. This is a vulnerability on the rsETH side,” and emphasized that rsETH has no borrowing power on Aave, meaning Aave has no direct loss. However, the WETH borrowing positions supported by rsETH as collateral still leave an estimated bad-debt risk of about $177 million, forcing liquidity providers to urgently withdraw.

Market reaction has been intense. After the news broke, the AAVE token fell 10.27% in a single day and briefly dropped to $105.73. The related lending protocols SparkLend and Fluid also froze positions involving rsETH one after another, amplifying cascading risk as liquidity thinned out over the weekend.

Wrapped rsETH spread across 20 chains becomes a liquidation challenge

The ripple effect of this incident is greater than that of a typical single-chain attack. The drained adapter reserves are the backing assets issued for wrapped rsETH across more than 20 chains—meaning users on other chains who still use wrapped rsETH to borrow, stake, or trade face passive de-coupling risk. Kelp’s official statement only said it identified “suspicious cross-chain activity” and paused the rsETH contract, without yet disclosing any compensation plan.

Cross-chain bridges become a new attack surface for DeFi

The Kelp incident continues a trend since 2026 in which the cross-chain messaging layer has become the main focus of attacks. From early-month Drift Protocol using Solana durable nonce to bypass multisig signers, to this time’s Kelp forging LayerZero messages, the problem points were not in the lending protocol itself, but in the message verification mechanisms that connect the various chains. Chaos Labs, the risk management team, had previously exited Aave risk controls due to budget disputes, and with the cross-chain bridge’s concentrated attack surface emerging, the challenge for DeFi protocols in structurally secure governance continues to rise.

This article: Kelp DAO hacked for $292 million: LayerZero cross-chain bridge attacked via forged messages, becoming the largest DeFi incident of 2026 first appeared on Chain News ABMedia.