Kelp DAO Hack 2026: How a Forged Approval Drained $292 Million and Left Aave Holding the Debt

On April 18, 2026, $292 million left crypto's largest lending market through a single forged approval. No code was broken. No password was stolen. A system designed to check one signature instead of many was tricked into releasing funds that did not exist. 

By the time markets froze, Aave had issued nearly $200 million in real loans against worthless collateral and its total deposits had fallen 37% in three days. Here is what happened, who was involved, and what it means for anyone with money in DeFi.

sETH Explained: How Kelp DAO's Liquid Restaking Token Works

The first player to understand is Kelp DAO — a platform that lets ETH holders earn extra yield by locking their ETH into a network of validators. 

In return, Kelp issues a token called rsETH.

rsETH acts like a deposit receipt:

• What rsETH represents: Proof that real ETH is locked and earning yield inside Kelp

• Why rsETH was useful: Holders could take that receipt and use it elsewhere in DeFi — borrow against it, trade it, or move it across blockchains without giving up their yield position

• Why that matters: Before the hack, rsETH was accepted as collateral on four major lending platforms: Aave V3, Compound, Euler, and SparkLend

The result of the hack: 116,500 rsETH — 18% of the entire circulating supply — was created out of nothing, with no ETH backing it. Every existing rsETH holder across multiple blockchains was now holding a token partially backed by air.

How the LayerZero Bridge Exploit Worked: The 1-of-1 DVN Vulnerability Explained

To move rsETH between blockchains, Kelp used a cross-chain bridge — a messenger service that carries instructions from one blockchain to another. Because blockchains cannot read each other's data directly, a bridge has to verify that an instruction is genuine before releasing funds.

The second player: LayerZero — the infrastructure company that built and operates Kelp's bridge. LayerZero's verification system works by assigning independent checkers called a Decentralized Verifier Network (DVN), to confirm each instruction before anything moves.

Here is where the vulnerability sits:

• Safer setup: 2-of-3 or 3-of-5 verifiers required, multiple independent parties must all approve before funds release. An attacker would need to compromise all of them simultaneously

• Kelp's setup: 1-of-1, one verifier, one signature required. That single verifier was operated by LayerZero Labs itself

• What the attacker did: Forged a message that passed through that single checkpoint. The bridge saw a valid signature and released 116,500 rsETH to an attacker-controlled address

In plain terms: A building with one security guard instead of three. Convince the one guard and the door opens. The alarm never sounds because nothing technically malfunctioned.

Kelp DAO, LayerZero, and Aave: The Three Protocols at the Centre of the Hack

The hack moved through three protocols in sequence, a token issuer, a bridge, and a lending market. Here is the role each one played.

• Kelp DAO the token issuer: Kelp's core promise is that every rsETH in circulation is backed by real ETH. Once the bridge released unbacked tokens, 116,500 rsETH existed with no collateral behind them. The protocol's fundamental guarantee broke at scale.

• LayerZero the bridge infrastructure: LayerZero's core protocol was not broken. The attack exploited Kelp's deployment configuration on top of it. LayerZero has since announced it will stop signing messages for any application still running a 1-of-1 DVN, and is mandating migration to multi-verifier setups, an acknowledgment that the default configuration carried more risk than users understood.

• Aave V3 the lending market: Aave accepted rsETH as collateral based on its on-chain price data, liquidity depth, and track record all of which appeared legitimate. The attacker deposited the freshly minted, unbacked rsETH into Aave V3, borrowed approximately $196 million in wrapped ETH, and exited. Aave's Guardian froze rsETH markets approximately 77 minutes after the initial drain — enough time for the borrowing to complete. WETH, which represents 39.49% of all Aave loans, was the primary asset borrowed against the stolen collateral, meaning the bad debt landed at the protocol's core, not its periphery.

Secondary protocols caught in the freeze: SparkLend, Fluid, Compound V3, Euler, Lido's earnETH vault, and Curve Finance's LayerZero bridge function were all paused within hours. 

For users in those markets, funds became inaccessible while each protocol assessed its rsETH exposure.

Aave TVL Drops $9.8 Billion in Three Days After rsETH Hack

A 37.2% TVL decline in three days is not a market correction, it is a confidence event. Depositors exited not because Aave's code failed, but because the collateral framework it relied on had a gap nobody had publicly stress-tested.

How Aave Proposal 434 Amplified the Kelp DAO Hack Damage

Three months before the hack, in January 2026, an internal Aave governance proposal quietly made the damage larger than it needed to be.

Aave governance works like a shareholder vote — holders of the AAVE token collectively approve or reject changes to how the protocol operates. Anyone can propose a change. AAVE holders vote. The majority wins.

Proposal 434 — put forward by the Aave Chan Initiative (ACI), an eight-person governance team led by Marc Zeller increased rsETH's loan-to-value ratio in E-Mode from 92.5% to 93%.

• Loan-to-value ratio: How much a borrower can take out relative to their collateral. A 93% LTV means for every $100 of rsETH deposited, a borrower can take $93 in loans

• Why ACI proposed it: To stay competitive with similar tokens and attract more borrowing volume, each cycle of borrowing generates interest fees for the DAO

• What it skipped: A specific risk assessment of rsETH's bridge infrastructure. At the time, SparkLend and Fluid maintained LTVs of 72–75% for comparable assets

• The consequence: When rsETH's value collapsed after the hack, a 93% LTV left almost no safety buffer for liquidation. The collateral evaporated before Aave could recover the loans

Notably, ACI founder Marc Zeller announced his team will wind down operations over the next four months following a separate governance dispute, meaning the team that introduced the rsETH configuration at 93% LTV will not be around to manage its aftermath.

Can Aave's Umbrella Safety Module and DAO Treasury Cover the $200M Bad Debt?

As covered in Aave vs. Compound: The Protocol That Learned to Reinvest Won, Aave's reinvestment model and diversified revenue streams give it more capacity to absorb shocks than most lending protocols. 

That structural advantage matters here.

The numbers:

• Bad debt range: $123.7M to $230.1M across seven affected markets, depending on how Kelp socialises losses

• Umbrella safety module: Aave's built-in insurance mechanism held approximately $50 million, enough to cover roughly a quarter of the total bad debt

• Shortfall: $127M to $150M remains, to be absorbed by non-depositing WETH suppliers through a haircut process

• DAO treasury: $181M as of April 20, including $62M in ETH-correlated assets, $54M in AAVE tokens, and $52M in stablecoins. Technically enough to cover the gap

• Governance vote: Not yet held. AAVE token holders will decide how costs exceeding $200M are allocated. Several ecosystem participants have signalled informal commitments, but nothing is confirmed

As noted in Top 3 Protocol Earnings Distribution March 2026, protocol revenue health means little if the collateral frameworks underpinning it are not stress-tested against infrastructure-level failures. 

The treasury exists. The vote has not happened.

LayerZero vs Kelp DAO: Who Is Responsible for the $292M Bridge Hack?

LayerZero and Kelp DAO are publicly disputing responsibility.

LayerZero's position:

• Risky configuration choice: Kelp chose to deploy a 1-of-1 verifier configuration for a token with over $1 billion in deposited value

• Prior warnings issued: Best practices around using multiple verifiers had been communicated to partners ahead of the hack

• No backup check: A single-verifier setup left no independent review to catch a forged message before funds moved

Kelp DAO's position:

• Followed published defaults: The 1-of-1 configuration followed LayerZero's own documented defaults and public code

• LayerZero-operated node: The compromised verifier was run by LayerZero Labs itself — making the infrastructure provider the direct point of failure

• Systemic vulnerability: Security researchers note LayerZero's own quickstart guides and default code promote single-source verification suggesting the flaw was ecosystem-wide, not an outlier choice by Kelp

SlowMist co-founder Yu Xian confirmed the 1-of-1 DVN configuration through independent analysis. Whether a published default that both parties used constitutes negligence on one or both sides is a legal question with no clean answer yet.

Is Lazarus Group Behind the Kelp DAO Hack? The TraderTraitor Attribution

LayerZero has attributed the attack to North Korea's Lazarus Group also known by the FBI codename TraderTraitor, the same state-backed unit attributed to the $1.5 billion Bybit hack in February 2025. No independent blockchain forensics firm has publicly confirmed the attribution for this specific attack. 

The claim originates from LayerZero.

On-chain evidence flagged by Cyvers and investigator ZachXBT, wallet funding via Tornado Cash and rapid conversion of hundreds of millions of dollars to ETH across Ethereum and Arbitrum — is consistent with previous Lazarus operations but not independently confirmed as the same group.

The Kelp exploit is the second major DeFi attack linked to Lazarus in April 2026. On April 1, the group allegedly drained $285 million from Drift Protocol through a six-month social engineering campaign. Combined, both April attacks total over $575 million executed through completely different methods, suggesting a state-level operation with broad technical capability.

Why the Kelp DAO Hack Could Not Happen on Bitcoin

Bitcoin does not run smart contracts. It has no restaking ecosystem, no cross-chain bridge to LayerZero, and no lending market accepting liquid restaking tokens as collateral. The attack chain that worked here, forge a bridge message, mint unbacked collateral, borrow real assets — cannot be constructed on Bitcoin because the components do not exist.

After the hack, ETH fell 3–4%. AAVE dropped 10–16%. Bitcoin absorbs broader sentiment pressure but carries a structurally simpler attack surface. Fewer moving parts means fewer points of failure.

Kelp DAO Hack Aftermath: What Comes Next for Aave, LayerZero, and DeFi

The fallout from April 18, 2026 is still unfolding, with each protocol at the centre of the event facing a different open question.

• Kelp DAO: Contracts remain paused. rsETH holders across multiple chains are waiting for clarity about the backing ratio and any recovery plan. No timeline has been confirmed

• LayerZero: Multi-verifier DVN configurations are now being enforced across high-value deployments. Approximately 40% of LayerZero protocols reportedly ran the same 1-of-1 setup at the time of the hack — the remediation scope is industry-wide

• Aave: The governance vote on covering the remaining $127M–$150M shortfall has not happened. The DAO treasury has the funds. Whether token holders approve deployment is the open question

DeFi broadly: According to industry estimates, bridge exploits now account for more than half of all value lost in DeFi historically. The combined $577 million extracted from Drift and Kelp in April alone underscores the scale of the current attack wave. 

Proof of reserve verification, multi-verifier requirements, and withdrawal rate limits are no longer optional for protocols managing over $1 billion in deposited value. After April 18, 2026, they are the minimum bar.

Conclusion

The Kelp DAO hack was not a failure of cryptography or code, it was a failure of configuration. One forged message through one verifier was enough to mint $292 million in unbacked collateral, trigger $9.8 billion in Aave withdrawals, and freeze nine protocols across the DeFi ecosystem.

The post-mortem is already producing its own answers. LayerZero is retiring 1-of-1 verifier setups across the network. Aave governance is weighing how to close a $127M–$150M shortfall that technically, it has the treasury to cover. Kelp is still counting what is left. What April 18 made clear is that bridge configuration is no longer a back-office engineering choice, it is a lending-market risk factor, priced directly into every token it touches.

For anyone allocating to DeFi, the question is no longer whether a protocol's smart contracts are secure. It is whether the infrastructure holding up its collateral is.