On Saturday at 17:35 UTC, an attacker called the lzReceive function on LayerZero’s EndpointV2 contract and forged a cross-chain message. Kelp DAO’s bridge believed it. It released 116,500 rsETH, roughly $292 million, about 18% of the token’s entire circulating supply, to an attacker-controlled address.
Forty-six minutes later Kelp’s emergency multisig froze the contracts. Two follow-up attempts at 18:26 and 18:28 UTC, each trying to drain another 40,000 rsETH worth around $100 million, both reverted because the contracts were paused. If they had not been, the total loss would have approached $391 million.
The attacker then deposited the stolen rsETH as collateral on Aave V3 and borrowed over $236 million in wrapped ETH against it. Because the rsETH was no longer backed by anything, that debt cannot be liquidated through normal mechanisms. Aave is now carrying bad debt it did not create. AAVE token dropped 10% on the news. Aave, SparkLend, Fluid, and Upshift all froze rsETH markets. Ethena paused its LayerZero bridges as a precaution even though it had no rsETH exposure.
This is the largest DeFi exploit of 2026, overtaking the $285 million Drift Protocol hack from April 1 by a few million dollars. Two of the three biggest DeFi hacks in history happened in the same month.
The part nobody is writing about is what was sitting in the Aave governance forum since January 2025.
The Warning
Kelp DAO’s cross-chain architecture used LayerZero’s OFT standard with a 1/1 DVN configuration. DVN stands for Decentralized Verifier Network, the system of validators that confirm cross-chain messages are legitimate before a bridge acts on them.
A 1/1 configuration means a single validator signature is enough to approve a cross-chain message. LayerZero allows this configuration. It is also the weakest security level the protocol permits.
In January 2025, fifteen months before Saturday’s exploit, a developer posted on the Aave governance forum warning Kelp explicitly about this. The post flagged that the single DVN configuration created a single point of failure, that one compromised or forged validator signature was all an attacker needed to trick the bridge into releasing funds. The post recommended Kelp extend to multiple DVN verifications.
Kelp never added the second validator.
The attacker on Saturday did not discover a new vulnerability. They used the exact weakness that had been documented, publicly, in a governance forum that Kelp’s team monitors, fifteen months before the exploit occurred.
How the Attack Actually Worked
Kelp’s bridge architecture is a hub-and-spoke system. The Ethereum mainnet holds the master reserve of rsETH through an OFTAdapter contract. The 20-plus layer 2 deployments on Base, Arbitrum, Linea, Blast, Mantle, Scroll and others each hold OFT contracts that represent claims on that mainnet reserve.
When rsETH moves from mainnet to L2, the Adapter locks tokens on mainnet and the L2 contract mints the equivalent. When moving back, the L2 burns tokens and the Adapter releases the equivalent on mainnet. The entire ledger of who owns what across all 20 chains is maintained by LayerZero’s message layer.
The attacker forged a message telling the mainnet OFTAdapter that a valid cross-chain transfer had arrived. With only one validator required to approve the message, the forgery passed. The Adapter released 116,500 rsETH to an attacker-controlled address. No real cross-chain transfer had occurred. No rsETH was burned on any L2. The attacker simply created tokens out of nothing by convincing a single validator that the message was real.
The rsETH backing wrapped versions on 20 other chains was now gone. Holders on those chains discovered their tokens had no reserve underneath them.
What Composability Looks Like When It Fails
DeFi’s core design principle is composability. Tokens from one protocol can be used as collateral on another, which can be used as inputs to a third. This is efficient when everything works. When one piece fails, the failure propagates instantly.
rsETH was whitelisted as collateral on Aave V3 and V4 because it represented a growing share of Ethereum’s locked value and offered attractive yield on top of standard staking rewards. The integration made sense on paper. Kelp had over $1 billion in ETH locked. The token had real backing.
The attacker understood this. The theft was only the first half of the operation. The second half was depositing the stolen rsETH on Aave immediately after the drain, borrowing $236 million in wrapped ETH against worthless collateral, and collecting the borrowed assets before anyone could freeze the markets.
By the time Aave’s multisig guardian froze rsETH markets, the attacker had already consolidated around 74,000 ETH. The bad debt was already written into Aave’s lending pools.
There was no circuit breaker. There was no committee vote. There was no grace period. The composability that makes DeFi efficient was weaponized in real time because a bridge was running on the weakest security configuration its infrastructure allowed, fifteen months after being told not to.
The Pattern
The Drift hack in April was a six-month North Korean intelligence operation that exploited durable nonces, a legitimate Solana feature to pre-sign administrative transfers. The fake Ledger app on Apple’s App Store sat live for seven days draining $9.5 million because Apple’s review process passed it. The Kelp hack exploited a known single-validator weakness that had been flagged publicly fifteen months earlier.
None of these are zero-day exploits. None of them discovered something previously unknown about the underlying infrastructure. All three exploited the gap between what a system claimed to do and what it actually did in practice.
Kelp’s bridge claimed to secure $1 billion in assets. It was running on the minimum viable security configuration while that claim was being made.
The attacker wallet was funded through Tornado Cash ten hours before the exploit. The operation was planned. The vulnerability was known. The warning had been sitting in a governance forum since January 2025.
Kelp DAO is now investigating with LayerZero, Unichain, its auditors, and outside security specialists. It has not disclosed how the exploit bypassed the bridge’s validation logic, which is a strange thing to withhold given that the answer appears to be documented in a public governance forum from fifteen months ago.
