Author: Xiaobing, Shenchao TechFlow

At 17:35 on the evening of April 18 (UTC), a wallet washed with Tornado Cash sent a cross-chain message to LayerZero’s EndpointV2 contract.

The semantics of this message are simple: a user on a certain chain wants to cross rsETH back to the Ethereum mainnet. LayerZero is designed according to the protocol and faithfully conveys the instructions. The bridging contract deployed by Kelp DAO on the main network also faithfully executed the release according to the design.

116,500 rsETH, which was approximately US$292 million at the time, was transferred to an address controlled by the attacker in a transaction.

The problem is that no one on the other chain has deposited this rsETH at all. This "cross-chain request" was forged out of thin air, LayerZero believed it, and Kelp's bridge also believed it.

After 46 minutes, Kelp’s emergency multi-signature pressed the pause button. At this time, the attacker has completed the second half of the operation, mortgaging the stolen rsETH, which is essentially unanchored, into Aave V3, and lending out wETH worth approximately US$236 million.

This is the largest DeFi theft so far in 2026, millions more than the Drift protocol that was attacked by North Korean-backed hackers on April 1, but it is not just the amount that really sends chills down the spine of the industry.

How the attack occurred: three bets from 17:35 to 18:28

Restore the timeline.

17:35 UTC, first success. The attacker called the lzReceive function on the LayerZero EndpointV2 contract, a wallet backed by Tornado Cash funds, to pass a fake cross-chain packet to Kelp's bridge contract. The contract verification passed and 116,500 rsETH was released to the attacker's address. Single stroke. clean.

At 18:21 UTC, Kelp’s emergency suspension of multi-signature froze the rsETH core contracts on the mainnet and multiple L2. It was 46 minutes before the attack occurred.

At 18:26 and 18:28 UTC, the attacker launched two more attempts, each with a LayerZero data packet that attempted to withdraw an additional 40,000 rsETH (approximately US$100 million). Both times it was reverted and the contract has been frozen, but the attacker is obviously still trying to take away the remaining liquidity.

Nearly three hours passed between the first acquisition and Kelp’s public statement.

Kelp's first X post was not sent until 20:10 UTC, and the wording was very restrained: Suspicious cross-chain activities involving rsETH have been found, the rsETH contracts on the main network and multiple L2 have been suspended, and we are working with LayerZero, Unichain, auditors and external security experts to conduct root cause analysis.

But it was ZachXBT who came to a conclusion earlier than the official statement. On-chain detectives issued an alert on their Telegram channel before 3 pm EST, listing six wallet addresses related to this theft, and pointed out that the attacking wallets had prepared funds through Tornado Cash before starting the operation. He didn't mention Kelp DAO by name, but it only took a few hours for on-chain analysts to connect the addresses.

This was a premeditated, minute-by-minute operation. Pre-loaded laundered wallets, carefully constructed cross-chain data packets, attacks and Aave mortgages are in continuous action, every step is like stepping on a metronome.

After stealing, you still need to cheat

If it was just a simple bridge vulnerability that stole 116,500 rsETH and ran away, this would at most be considered a large-scale accident in 2026. Kelp bears the loss, the community digests it for a few days, and the industry moves on.

But the attacker obviously figured it out. rsETH itself does not have sufficient secondary liquidity. It directly dumped US$292 million into DEX to sell it. Slippage will eat up a considerable part of the profit. A more elegant way to ship is to package this batch of "rsETH obtained out of thin air" into decent-looking collateral, and lend out truly liquid assets in the lending agreement.

So the attacker took the second step: deposit the stolen rsETH into Aave V3 as collateral and lend out a large amount of wETH.

Why is this step fatal? Because the Aave contract was still calculating the collateral value based on the oracle price of rsETH at that moment, and the reserves in the bridge had been emptied, the economic bottom line of this batch of rsETH actually no longer existed. The lending agreement is still issuing loans based on the "100% gold content" standard, but the collateral is already a bad check.

The result is: the attacker transfers the risk of liquidating funds to Aave's wETH reserve pool.

Aave V3’s wETH reserve is now absorbing bad debts. Solidity developer and auditor 0xQuit reminded depositors on

The latest estimate of the scale of bad debts is in the order of US$177 million, and this is only on the Ethereum mainnet side.

The first big test in a prophecy

For veteran DeFi players, this paragraph has a familiar sense of déjà vu. When Luna collapsed in 2022, Aave V2’s Safety Module also played a similar role.

But this time it is Umbrella, a new generation backup system launched by Aave at the end of 2025 to replace the old Safety Module. This incident is the first major actual stress test of Umbrella’s automatic bad debt coverage mechanism.

Umbrella’s logic is very straightforward: pledge aWETH, aUSDC, and GHO to the corresponding Umbrella vault to earn extra incentives in normal times. However, when the corresponding asset pool is in deficit, this part of the pledge will be slashed (reduced) in proportion to make up for the hole.

This design looks beautiful on the books. In the first month of running Aave v3.3, the cumulative deficit of the entire pool was about US$400, corresponding to nearly US$9.5 billion in outstanding loans. The proportion is so small that it is almost negligible.

But the $177 million in bad debts is on another level. For users who have pledged aWETH to Umbrella, they are about to truly feel the weight of the words "taking the risk of slashing" for the first time. Aave's official statement is very cautious: if bad debts occur, Aave plans to use Umbrella assets to make up for any financial shortfalls. But whether it can be completely covered, how high the slashing ratio is, and how much the pledger's principal will be lost are all issues that cannot be given until the settlement is completed.

The original sin of crossing the chain bridge

What is even more disturbing is the identity of the stolen rsETH.

rsETH is deployed on more than 20 networks including Base, Arbitrum, Linea, Blast, Mantle, and Scroll, and cross-chain transfers are undertaken by LayerZero's OFT standard. The rsETH in the hollowed-out bridge is the reserve that supports all the "wrapped versions" of rsETH on these networks.

This design sounds very conventional at first glance: the mainnet treasury holds a 1:1 reserve, and rsETH holders on L2 can theoretically cross back to the mainnet to redeem at any time. But the premise of this mechanism is that the treasury really has money.

The vault is now 18% empty. About 18% of Kelp’s total circulating supply of rsETH lost its corresponding reserves overnight.

This creates a feedback loop: once holders on L2 panic redeem, the pressure will be transmitted to the unaffected Ethereum supply side, possibly forcing Kelp to unstake its re-staking position to meet withdrawal requests.

Re-staking is not a matter of pressing a button. There is a delay period for the withdrawal of EigenLayer, and there is a queuing period for the withdrawal of the underlying validator. If rsETH holders on L2 rush to the redemption window collectively, Kelp may not have time to prepare the repayment ammunition for the main network.

This is a fundamental risk of the bridge reserve model: as long as there is a problem with the main network reservoir, the water pressure of all downstream canals will collapse. Every rsETH holder on L2 is taking the same multiple-choice question at the moment. Should they run first, or should they trust Kelp to get the answer?

Panic swept through the entire DeFi lending sector within a few hours.

The rsETH market for Aave V3 and V4 is frozen, and new deposits and rsETH-based lending channels are closed.

SparkLend and Fluid followed up by freezing the rsETH market.

Although Ethena stated that it has no rsETH exposure and maintains over-collateralization of more than 101%, it still suspended its LayerZero OFT bridge from the Ethereum mainnet as a precautionary measure. The suspension is expected to be about six hours. This reaction is very intriguing: players without direct exposure are also suspending LayerZero-related bridges.

Lido Finance has suspended new deposits for its earnETH product (because the product contains rsETH exposure), while emphasizing that stETH and wstETH are not affected, and the Lido core staking protocol has nothing to do with this incident.

Upshift has suspended deposits and withdrawals from High Growth ETH and Kelp Gain vaults.

The list is getting longer.

Deep Wave Comment: DeFi security has a long road ahead

As of the writing of this article, the root cause analysis of Kelp DAO is still in progress. How much of the stolen rsETH can be recovered through security teams or white hat negotiations? Can Aave's Umbrella withstand this bad debt? Will rsETH holders on L2 trigger a run? Can AAVE and rsETH prices stabilize before the end of the weekend?

However, some problems have been highlighted.

For example, can LRT continue to be a qualified collateral for lending agreements?

Liquid Restaking Token (Liquid Restaking Token) This is the darling of the Ethereum ecosystem in the last cycle. EigenLayer has opened up the narrative of "earning multiple levels of income from one ETH", and protocols such as Kelp, ether.fi, and Puffer have industrialized this narrative. The final result is that LRT is included in the collateral whitelist as a structured asset by major lending protocols.

This decision is based on an assumption: LRT’s anchoring mechanism is robust enough, and the multi-layer nested risks of the underlying assets can be fully modeled and isolated at the smart contract level.

The Kelp incident poked a big hole in this assumption in one afternoon. The risks of LRT not only come from the underlying smart contract, but also from its cross-chain distribution architecture; not only from a single protocol, but also from every dependency between it and EigenLayer, LayerZero, and Aave. Each of the DeFi Lego building blocks looks safe when taken apart, but when they are put together, the risks of the puzzle are multiplied rather than added.

In the coming months, all lending agreements that also list LRT as high-grade collateral will have to reassess their risk parameters. The supply limit will be lowered, the liquidation buffer will be enlarged, and some protocols may be directly removed from the shelves.

DeFi’s moat has always been called “composability,” but this incident reminds everyone: composability is a double-edged sword. The network effect you are proud of is an amplifier in the hands of attackers.

This time the attackers had planned their exit path in advance, not just stealing, but using DeFi composability as a weapon. When the dependencies between protocols become closer and the composability becomes richer, the attackers’ attack surface becomes wider, and the more financial Lego they can call upon.

DeFi security still has a long way to go.