News 
Coin Information 
About us 
Customer Service 
The decentralized finance sector was rocked on April 18, 2026, when an unknown attacker exploited a critical vulnerability in KelpDAO's cross-chain bridge, draining 116,500 rsETH tokens in what has become the largest DeFi exploit of the year. The breach, valued at approximately $292 million, has sent shockwaves through the crypto ecosystem, putting both KelpDAO and lending giant Aave at serious financial risk.
The attacker took advantage of a flaw in KelpDAO's LayerZero-powered bridge infrastructure, forging fraudulent cross-chain messages that allowed rsETH to be released without the corresponding token burns required to back them. The unbacked tokens were then deposited as collateral on Aave V3, where the hacker borrowed significant volumes of Wrapped Ether. Since the collateral is essentially worthless, these positions cannot be liquidated, leaving Aave carrying over $236 million in bad debt.
Aave responded swiftly, freezing rsETH markets across both its V3 and V4 platforms within hours of discovering the attack. Aave founder Stani Kulechov publicly clarified that the vulnerability originated outside of Aave's own smart contracts, distancing the protocol from direct responsibility.
Tron founder Justin Sun, who held substantial exposure on Aave, moved quickly to protect his assets, withdrawing approximately 65,584 ETH worth around $154 million and redepositing into Spark. Sun then took to social media, directly appealing to the hacker to negotiate a return of the stolen funds, warning that allowing the situation to escalate could bring down both platforms entirely.
Interoperability protocol Axelar also weighed in, urging the broader DeFi industry to adopt stronger bridge security standards, specifically highlighting the dangers of single-validator bridge configurations like the one used by KelpDAO.
The incident surpasses April's $285 million Drift Protocol hack, cementing its place as 2026's most damaging DeFi security breach and renewing urgent calls for improved cross-chain security across the industry.
Comment 0