If you've ever used a DeFi protocol, held a liquid staking token, or deposited anything into Aave, Compound, or a yield vault - this incident touched your world. Not because you did anything wrong. Because the infrastructure connecting DeFi's pieces has a gap that the industry has known about for years and still hasn't fixed. The Kelp DAO exploit in April 2026 is the most expensive demonstration of that gap so far. This piece explains what actually happened, why it keeps happening, and what it would genuinely take to stop it.
Key Takeaways
- $290 million left Kelp DAO's bridge in a single attack on April 18, 2026, making it the biggest DeFi exploit of the year.
- Over 20 protocols got hurt despite none of them being touched by the attacker directly.
- Ronin, Wormhole, Multichain, Radiant Capital - this failure mode has a long track record.
- A distributed validator set makes this class of attack practically impossible to execute.
- The tools to build this way already exist; what's lagging behind is the will to make it the default.
Something big happened in DeFi on April 18, 2026. If you're reading this, you've probably already seen the headline figure. But behind that number is a story that's worth understanding properly, because it's not really about one bridge or one configuration mistake.
It's about a pattern that has played out repeatedly for years, at increasing scale, each time leaving users and protocols absorbing losses from a part of the stack they had no way to see or control. That's the part worth understanding. Not to assign blame, but because understanding it is the only path to fixing it.
One Verifier. One Forged Message. $290 Million.
Most people who held rsETH in April 2026 didn't think much about how it worked. They deposited ETH into Kelp DAO (the second-largest liquid restaking protocol), received rsETH in return, and got on with using it as collateral in Aave, in yield strategies, and across more than 20 networks. Over $1.57 billion in TVL had flowed in that way. It felt like one of the more mature corners of DeFi. But April 18, 2026 changed everything.
According to LayerZero's official incident statement, the attacker had already done their groundwork well before the exploit. They gained access to the list of RPC nodes that LayerZero Labs' DVN (Decentralized Verifier Network) relied on to verify cross-chain transactions, identified two of them running on separate independent server clusters, and replaced the software running on both with malicious versions. Those poisoned nodes were engineered to do one very specific thing: report fabricated transaction data exclusively to LayerZero's verifier while continuing to respond accurately to every other system that queried them, including LayerZero's own Scan monitoring service. There was nothing to see from the outside.
But compromising those two nodes alone was not enough. LayerZero's DVN used both its own internal RPCs and external ones for redundancy - a protection that would have stopped the attack there. So the attacker DDoS'd the uncompromised external RPCs, forcing the DVN to fall back entirely onto the poisoned nodes. With nothing left to contradict the fabricated data, the verifier confirmed a transaction that had never taken place. The bridge minted 116,500 rsETH with no real ETH behind them. Roughly 18% of the entire circulating supply around $290–293 million was sent directly to the attacker's address. The malicious software then self-destructed, deleting the binaries, local logs, and configs to eliminate any trace.
None of this would have worked against a multi-DVN configuration. If Kelp had been running two or three independent verifiers from different operators, compromising one DVN's data feed would not have been enough to forge a message -Â the others would have rejected it. LayerZero confirmed it had explicitly communicated this to Kelp before the incident. Kelp ran 1/1 anyway.
What followed moved fast. The attacker deposited the stolen rsETH into Aave V3, Compound V3, and Euler as collateral, borrowing real WETH across all three. On Aave, the attacker used a feature designed for ETH-correlated assets that allows significantly higher borrowing against collateral, squeezing out the maximum possible loan while keeping positions just barely above the liquidation threshold. Then the positions were abandoned. Unbacked rsETH sat as collateral. Real WETH was gone. Because the collateral was now worthless and the health factors were calibrated to avoid automatic liquidation, Aave was left holding a hole it couldn't close through its own mechanisms.
As a result, over 15 protocols were affected. Aave froze all rsETH markets across Ethereum, Arbitrum, Base, Plasma, and Linea. SparkLend, Fluid, Compound, Euler, and Pendle followed. Arbitrum's Security Council, acting with input from law enforcement, moved 30,766 ETH connected to the exploit into an intermediary frozen wallet - funds that can now only be released through Arbitrum governance action coordinated with relevant parties. None of these protocols had been hacked, every one of them was making a choice based on an asset that had become something different from what it was that morning. Multiple protocols had suspended LayerZero bridging entirely as a precaution, including Ethena, ApeCoin, ether.fi, and others with no direct rsETH exposure at all. Aave's total TVL fell $6.6 billion in a single day, most of it from pools that had never touched rsETH. Total DeFi TVL fell roughly $10 billion before the day was out.
Most of the people affected by this did nothing wrong. rsETH holders, Aave depositors, users of the protocols that froze as a precaution: they made reasonable decisions based on the information available to them. rsETH had more than a billion in TVL before the exploit. It had passed audits. Aave had run its standard collateral onboarding process. Nothing on the visible surface of any of these protocols signaled that their security ultimately rested on a single verifier whose RPC infrastructure could be a single point of failure.
That invisibility is the real problem worth talking about.
The Kelp DAO incident didn't happen because people were careless. It happened because the stack was built to look decentralized at the layers everyone can see, while the layers that actually failed stayed out of view. The audited smart contract at the top looks sound. The bridge verification layer in the middle, configured in ways that may or may not be robust, rarely appears in any interface a normal user or even a professional risk team would routinely check.
We've Been Here Before
Bridge exploits don't happen randomly. They cluster around the same problem: concentrated trust in a middle layer that was never designed to hold the weight placed on it. Sorted by years, the pattern becomes hard to ignore.
Major Bridge / Cross-Chain Verification Exploits
| Year | Protocol | Loss | Root Cause | Source |
| 2022 | Ronin Network | $624M | Spear phishing compromised 4 validator private keys directly; 5th Axie DAO validator accessed separately, crossing 5/9 signing threshold | CertiK |
| 2022 | BNB Bridge | $569M | Attacker became a relayer and forged a Merkle proof for block 110217401, confirmed two years prior; IAVL tree verifier failed to validate proof against current root hash, allowing arbitrary message forgery and minting of 2M BNB directly | Elliptic |
| 2022 | Wormhole | $326M | Verification accepted a fake system account as legitimate; attacker used it to authorize minting of 120,000 wETH on Ethereum without any corresponding deposit; funds unrecovered | CertiK |
| 2022 | Nomad Bridge | $190M | The upgrade bug accepted zero hash as valid proof; any message passed without a real deposit; 41 wallets exploited it openly, draining the bridge completely within hours | CertiK |
| 2022 | Harmony Horizon | $97M | Attacker gained control of the MultiSigWallet owner and called confirmTransaction() directly, bypassing multi-party approval; 12 transactions drained ETH, USDC, WBTC and other tokens, all routed to Tornado Cash | CertiK |
| 2023 | Multichain | $126–130M | All private keys held solely by CEO; keys inaccessible and funds moved to unknown addresses | Chainalysis |
| 2023 | Orbit Bridge | $82M | Centralized server compromise; multisig private keys obtained, 5 transactions drained Ethereum vault before detection on Dec 31 | Halborn |
| 2024 | Radiant Capital | $50–53M | DPRK malware silently collected valid signatures from 3-of-11 signers by spoofing transaction previews on hardware wallets; attacker transferred contract ownership and drained lending pools across Arbitrum and BSC | Halborn |
| 2025 | Force Bridge | $3.76M | Compromised private keys used to call privileged unlock() and withdraw() functions directly; attacker made multiple failed attempts over 6 hours before succeeding, one day after the bridge announced sunsetting | Halborn |
| 2026 | Kelp DAO | $290M | The attacker forged a cross-chain message; 1/1 DVN configuration meant a single compromised verifier key was sufficient to authenticate it, and the bridge released 116,500 rsETH with no deposit on the source chain | LayerZero |
| 2026 | IoTeX ioTube | $4.4M | Private key of the Validator contract owner account compromised; attacker used it to perform a malicious upgrade that bypassed validation and signature checks, gaining full control over TokenSafe and MintPool | Halborn |
This list was compiled from public sources and on-chain analysis. The actual total is likely higher, many exploits go unreported, and not all losses are attributed to verification failures specifically. If we missed an incident, drop it in the comments and we'll update the table.
Combined, these eleven incidents add up to roughly $2.37 billion, about half the cost of building the Large Hadron Collider, a machine built to find things invisible to the naked eye. The irony writes itself.
The Stack Got Tall. The Foundation Stayed Shallow.
That trajectory is real. It also means more capital is atop infrastructure that hasn't kept pace with the scale above it. Cross-chain bridge exploits reached over $2.53 billion by mid-2025 alone, according to Hacken, and Chainalysis put total crypto losses for the full year over $3.4 billion. Each time a major incident happens, the lesson gets noted, patches are made, and the upper layers of the stack grow more sophisticated. The verification infrastructure in the middle gets patched rather than rethought.
The incidents above share a common thread. The layer responsible for attesting that what happened on Chain A is true on Chain B was either too centralized, too easily forged, or too easily bypassed. The specific mechanisms vary: compromised signing keys, forged Merkle proofs, spoofed accounts, and misconfigured multisigs. But the structural failure is consistent. In every case, the attacker didn't break the cryptography. They found a check that was missing or controlled by too few keys, and that was enough.
Validator centralization, the 1/1 DVN pattern that broke Kelp, is one category of failure and arguably the most solvable. But it doesn't explain everything. The common thread isn't a single bug class. It's that the verification layer keeps being treated as a solved problem when it isn't.
Why Base-Layer Security Stops at the Bridge
Most people understand validator decentralization as a blockchain base layer concept: tens of thousands of independent validators, multiple client implementations, geographic distribution, and slashing for misbehavior. That robustness is real and hard-won.
What the Kelp incident makes concrete is that it doesn't extend upward automatically. Every layer of the stack that performs attestation, whether bridges, messaging networks, or oracles, has its own validator architecture and its own failure modes.
This is the "barrel effect": the overall security of an on-chain protocol depends on the weakest link among all the chains and bridges it touches.
Here is the specific reason why a decentralized validator set is the answer and not just one option among several. When a single verifier authenticates cross-chain messages, an attacker has exactly one target. Compromise that one operator's infrastructure (their RPC nodes, their signing keys, their software) and the bridge treats forged messages as real. The attacker only needs to succeed once, in one place, against one system.
When verification is distributed across several independent validators, say 13 of 19, the problem changes character entirely. The attacker now needs to corrupt enough independent parties, without any of the others detecting the coordinated attempt before it succeeds. Those parties run different software, use different infrastructure providers, operate in different jurisdictions, and share no operational dependencies. Corrupting one doesn't weaken the others. Every additional genuinely independent validator in the set makes the attack exponentially harder to coordinate.
This is why decentralized validator sets are not a better version of the same idea. They are a qualitatively different security model. It converts the question from "Can a single operator be compromised?" to "Can N fully independent parties be corrupted simultaneously and silently?". History shows that attackers can reliably answer yes to the first question. The second, when the validator set is diverse and large, it remains practically out of reach.
Where This Leaves Everyone
For anyone who was affected by this, directly or through protocols they use, it matters to say: the information that would have let you make a different decision wasn't realistically available to you. That's not a comfortable thing for the industry to stay with, but it's true, and pretending otherwise doesn't help anyone.
For builders, the case for robust multi-verifier bridge security has never been clearer. The same category of attack, targeting concentrated trust in a verification layer, took down protocols and caused losses. Each one was preventable with the same architectural change: distributing verification across the set of independent operators. The technology to do this exists today. It needs to be set as default, not the optional recommendation.
For the ecosystem broadly, the trajectory toward institutional scale is real, and the fundamentals driving it are durable. But every billion dollars of new capital entering DeFi is capital that depends on the verification infrastructure underneath it. The gap between what's been built at the top of the stack and what's been built at the middle layer needs to close. Not because the ecosystem has failed, but because it has grown enough that finishing the foundation is now the most important work left.
The technical details will matter. But an impact analysis won't address the issue the incident reveals. It will be closed by what gets built next and how seriously validator architecture gets treated as a first-class requirement from here forward.
The information provided by DAIC, including but not limited to research, analysis, data, or other content, is offered solely for informational purposes and does not constitute investment advice, financial advice, trading advice, or any other type of advice. DAIC does not recommend the purchase, sale, or holding of any cryptocurrency or other investment.
