News linked to both this project and an event.
Odaily News Kelp DAO officially posted on X regarding the follow-up on the theft incident, stating that the cause was the compromise of two RPC nodes hosted by LayerZero, while the third RPC node suffered a DDoS attack. This was an attack targeting LayerZero's infrastructure; Kelp's own systems were not involved in the construction or operation of this infrastructure.The 1/1 DVN configuration is the scheme documented in LayerZero's documentation and is the default setting for all new OFT deployments. Kelp has been operating on LayerZero's infrastructure since January 2024 and has maintained open communication with the LayerZero team. During Kelp's expansion to Layer2, the DVN configuration was discussed, and the default configuration was explicitly confirmed as appropriate at that time.Kelp's current top priority is to protect user interests and prevent risks from spreading within the DeFi ecosystem. The team is collaborating with various parties in the ecosystem to analyze the impact, seek support, and explore all possible mitigation solutions.
Odaily News Lido posted on platform X stating that on April 18th, the Kelp cross-chain bridge was attacked, resulting in the theft of approximately 116,500 rsETH (worth about $292 million). Subsequently, the related assets were frozen on lending markets such as Aave.Its treasury product EarnETH has approximately a 9% risk exposure (about $21.6 million) through leveraged rsETH/ETH positions on Aave. Meanwhile, rising borrowing utilization is creating cost pressure on other strategies. The team is advancing deleveraging and reducing overall risk.Lido pointed out that the final impact of the rsETH positions depends on the subsequent handling by Kelp, LayerZero, and Aave, including loss sharing, asset recovery, and bad debt processing.Regarding risk mitigation, EarnETH can, if necessary, activate a $3 million "first-loss protection mechanism" (provided by the DAO treasury) to cover losses. The specific scale of its use is still pending further evaluation. Currently, the treasury has suspended deposits and withdrawals to ensure fairness and complete loss assessment. If the handling process is slow, redemption channels may be reopened based on the worst-case loss expectations.The official emphasized that stETH and wstETH are unaffected, and the core staking protocol was not involved in this incident.
According to an official Lido tweet, on April 18, 2026, attackers stole 116,500 rsETH (approximately $292 million) from the Kelp cross-chain bridge. Lending platforms including Aave subsequently froze the rsETH market. Lido’s EarnETH treasury holds approximately 9% exposure to rsETH (roughly $21.6 million) via leveraged positions on Aave; deposits and withdrawals are currently suspended. The EarnETH team is actively reducing leverage and mitigating risk; the final loss amount will depend on subsequent decisions by Kelp, LayerZero, and Aave. The Lido DAO treasury has a $3 million “first-loss protection mechanism,” which may be activated—via burning DAO treasury shares—as needed. Lido’s core staking protocol, as well as stETH and wstETH, remain unaffected by this incident.
According to CoinDesk, Kelp DAO will dispute LayerZero’s explanation of the $290 million rsETH cross-chain bridge vulnerability, stating that the compromised single-validator configuration relied on LayerZero’s own infrastructure and that this setup was part of LayerZero’s default integration—rather than a custom choice by Kelp DAO violating recommended practices. The attacker stole approximately 116,500 rsETH by compromising the servers LayerZero used to verify cross-chain transactions and disrupting its fallback nodes. Kelp DAO emphasized that the incident affected only the LayerZero-based bridging layer, leaving its core liquidity re-staking contracts unimpacted. LayerZero subsequently responded by announcing it would cease signing messages for any applications using a single-validator configuration and would mandate secure migration.
According to a post by 0xngmi, founder of DefiLlama, following the hack of KelpDAO, Aave is facing severe pressure in handling bad debt. Currently, there are three potential solutions: First, socializing the loss across all users—this would result in an 18.5% impairment for users, generating approximately $216 million in bad debt. Aave’s Umbrella Insurance could cover $55 million, and the treasury could contribute an additional $85 million, leaving a shortfall of roughly $76 million. Second, executing a “rug pull” on rsETH holders on L2 chains—this would generate approximately $341 million in bad debt, with Arbitrum, Mantle, and Base markets suffering the heaviest losses. Third, returning assets to holders based on a pre-attack snapshot—but this approach is extremely operationally challenging, and even after Umbrella Insurance coverage, an estimated $91 million in losses would remain. Additionally, some suggest confiscating the hacker’s collateral to offset part of the bad debt. Meanwhile, Aave’s OG Security Module still holds approximately $300 million worth of AAVE tokens; applying a 20% reduction would provide an additional ~$60 million in loss coverage.
Odaily News: A LayerZero cross-chain bridge related to Kelp DAO was hacked on Saturday, resulting in 116,500 rsETH worth $291 million flowing to a new wallet. The hacker used the illicitly obtained rsETH as collateral to borrow on Aave, causing the utilization rate of Aave's core lending pool to reach 100% and triggering a liquidity crunch. According to monitoring by 0xngmi, as of early Sunday, the net withdrawal amount from Aave had reached $6.2 billion. Kelp DAO has suspended the rsETH contracts on the Ethereum mainnet and several L2 networks. Affected by this, the price of the Aave token fell 16% to $90.13, and the price of Ethereum dropped 2% to $2,300. Currently, Justin Sun has posted on platform X attempting to negotiate with the hacker.
According to a post by Lido, the Lido Earn team is aware of the developments regarding the Kelp DAO exploit, and earnETH has exposure to rsETH. As a precautionary measure, additional deposits to earnETH have been paused while the situation is being assessed with relevant partners. More details will be announced later.
According to on-chain analyst Onchain Lens (@OnchainLens), Kelp DAO lost approximately $294 million in the cross-chain bridge exploit. As a result, $ZRO dropped from $2 to $1.40. A whale holding a long $ZRO position on HyperLiquid was partially liquidated, incurring a loss of $2.88 million. The whale still holds the position, with an unrealized loss exceeding $750,000 and a total loss of approximately $28.98 million.
Regarding the KelpDAO hack, Aave tweeted that the rsETH markets on Aave V3 and Aave V4 have been frozen. Aave stated that its contracts were not exploited and that this incident is related to the exploit of Kelp DAO’s rsETH cross-chain bridge. The freeze will prevent new rsETH deposits and rsETH-backed lending. Aave is currently reviewing lending activity involving rsETH on the platform following the exploit and has indicated that, should the protocol accumulate bad debt as a result, it will explore options to cover the deficit. Earlier reports indicated that Kelp DAO’s cross-chain bridge was hacked, resulting in the theft of approximately $292 million worth of rsETH, exposing Aave V3 to bad debt risk.
According to CoinDesk, Kelp DAO’s LayerZero-based cross-chain bridge was attacked, with the attacker withdrawing 116,500 rsETH—worth approximately $292 million at current prices, or roughly 18% of its circulating supply. This incident has become the largest DeFi attack of 2026 to date. In response, Aave, SparkLend, and Fluid have frozen rsETH-related markets, and Lido Finance has suspended new deposits into its earnETH product. Kelp DAO stated it is jointly investigating the incident with LayerZero, auditing firms, and external security experts.
Odaily News On-chain data indicates that Kelp DAO's rsETH bridge protocol based on LayerZero is suspected of being exploited by hackers, resulting in a loss of 116,500 rsETH, valued at approximately $292 million.