KelpDAO Exploit: How DeFi’s Greatest Strength Became Its Contagion Risk

The KelpDAO incident began with a false bridge message—and became a wider DeFi credit event because the compromised asset was trusted by other protocols.

The KelpDAO exploit began with a false bridge message. LayerZero provides cross-chain messaging infrastructure, which DeFi projects use to pass instructions between blockchains and facilitate cross-chain transactions. In this case, attackers manipulated the off-chain verification systems used by LayerZero to make it appear that KelpDAO’s restaked ETH token, rsETH, had been burned on the source chain. That false verification caused the Ethereum-side bridge to release 116,500 rsETH that should have remained locked.

The failure was amplified by KelpDAO’s bridge configuration. The route only required one verifier to approve the cross-chain message, so once that verifier accepted the false signal, the destination-chain bridge treated the message as valid. From there, the attacker used much of the released rsETH as collateral on Aave to borrow real assets, turning a bridge exploit into a wider DeFi credit event.

1. The Initial Infection: A Bridge Message That Should Not Have Been Trusted

The KelpDAO exploit did not begin with a typical smart-contract bug. It began with a false cross-chain message. LayerZero provides messaging infrastructure that allows DeFi applications to pass instructions between blockchains. In this case, that infrastructure was being used to facilitate the movement of KelpDAO’s rsETH, a tokenized claim on restaked ETH, between chains. LayerZero’s documentation describes the protocol as cross-chain messaging infrastructure where applications configure how messages are verified before the destination chain acts on them.

In a normal bridge flow, the accounting should stay balanced. If rsETH is released on Ethereum, there should be a corresponding burn, lock, or supply reduction on the source chain. The bridge should only release assets on the destination chain after verifying that the source-chain event actually occurred. That verification step is the trust boundary. In the KelpDAO incident, that boundary failed: Ethereum accepted a message saying rsETH had been burned on Unichain, even though there was no matching source-chain burn behind it.

Aave’s incident report places the exploit on April 18, 2026, at 17:35 UTC, at Ethereum block 24,908,285, through Kelp’s LayerZero V2 Unichain-to-Ethereum rsETH route. The Ethereum-side bridge adapter released 116,500 rsETH to the attacker. On Etherscan, the transaction appears as a successful transfer from the KernelDAO/Kelp bridge to the labeled Kelp DAO Exploiter 13 address, interacting with LayerZero EndpointV2.

That is what makes this incident important for investigators. The destination-chain transaction looked structurally normal: a message was verified, delivered, and executed. The problem was that the message was based on a source-chain event that had not actually happened. Chainalysis summarized the incident as a sophisticated attack on off-chain infrastructure rather than a smart-contract hack. In other words, the bridge did what it was instructed to do; the failure was that the instruction itself was false.

2. The Weak Immune System: Why One Verifier Was Enough

The exploit became catastrophic because KelpDAO’s rsETH route only required one verifier to approve the cross-chain message. In LayerZero terminology, these verifiers are called DVNs, or Decentralized Verifier Networks. A DVN’s job is to help confirm that a message being delivered to the destination chain is legitimate. Put more simply: before Ethereum releases assets, some verification system has to say, “Yes, this source-chain event really happened.”

LayerZero’s architecture can support stronger configurations by requiring multiple independent verifiers. If one verifier is wrong, compromised, or fed bad data, the message should not pass unless the required verification threshold is still met. LayerZero’s documentation describes an X-of-Y-of-N verification model, where applications can configure which verifier networks must approve a message and how many total approvals are needed before execution.

KelpDAO’s rsETH route did not use that broader quorum. Aave’s incident report says the Unichain-to-Ethereum route was configured as a 1-of-1 DVN with no optional verifiers. That meant one verifier attestation was enough. LayerZero’s own incident statement ties the incident to KelpDAO’s single-DVN setup, while also stating that LayerZero’s protocol itself was not exploited and that the attack targeted downstream RPC infrastructure used by the LayerZero Labs DVN.

This is where the technical lesson becomes clear. The bridge did not fail only because one system was tricked. It failed because one tricked system had enough authority to trigger the release. The exploit was not just a bad message; it was a bad message accepted by a weak trust configuration.

3. The First Spread: From Bridge Drain to Aave Collateral

After the bridge released the 116,500 rsETH, the attacker did not simply dump all of it into the market. That would have created slippage, attracted immediate attention, and limited how much value could be extracted. Instead, the attacker used much of the released rsETH as collateral in lending markets. This is where the incident began to spread beyond KelpDAO.

According to Aave’s incident report, 89,567 rsETH from the exploited funds was deposited into Aave positions. Against that collateral, the attacker borrowed approximately 82,650 WETH and 821 wstETH across Ethereum and Arbitrum positions. Galaxy’s analysis makes the key point: the cashout path was collateral-based. The attacker converted improperly released rsETH into borrowable assets by relying on the fact that Aave treated rsETH as valid collateral.

This distinction is important for investigators. The stolen asset itself was not the only object of value. The attacker used the stolen asset to create credit. Once Aave accepted the rsETH as collateral, the attacker could extract cleaner, more liquid assets from the lending market. In practical terms, the bridge exploit became a balance-sheet problem for a separate protocol.

This is DeFi composability working in reverse. Normally, composability is the selling point: assets can move, protocols can interoperate, and users can stack financial products without permission. But when a compromised asset is accepted as collateral, the same openness becomes a transmission mechanism. A protocol does not need to be the original exploit target to become exposed. It only needs to trust the asset that came out of the exploit.

4. The Contagion Event: Aave Was Not Hacked, But It Was Exposed

Aave was not the original exploit target. Its bridge did not release the rsETH, and its contracts were not the point of initial compromise. That does not mean Aave was unaffected. Aave became exposed because it accepted rsETH as collateral, and the attacker used that collateral to borrow real assets. This is the central second-order effect of the KelpDAO incident: a bridge verification failure became a DeFi credit event.

Aave’s incident report emphasized that its smart contracts, supply logic, repayment logic, and liquidation mechanics continued to operate as designed. That is precisely why the incident is so instructive. Aave did not need to malfunction for risk to enter the system. The upstream asset had to appear valid, and the lending market had to treat it as valid collateral. Once that happened, the protocol could behave exactly as designed and still inherit a loss from somewhere else.

The defensive response reflected that reality. Aave froze rsETH and wrsETH markets and took additional actions to limit stress across related markets. Glassnode described the aftermath as the largest confidence-driven liquidity event in Aave’s operational history, reporting that Aave V3 Ethereum Core available liquidity contracted from $9.77 billion to $5.75 billion within 29 hours, while WETH available liquidity on Ethereum Core collapsed from $689 million to $1.5 million in roughly two hours.

This is where the incident became contagion rather than just exploitation. Here, “contagion” does not mean that LayerZero’s entire protocol or every LayerZero-connected asset failed. LayerZero’s public statement argues the opposite: that the incident was isolated to KelpDAO’s rsETH configuration. In this article, contagion refers to the downstream credit, liquidity, and governance effects that spread once a compromised asset was trusted by other protocols.

The phrase “Aave was not hacked” is true, but incomplete. A more precise framing is: Aave was not the exploit point, but it was part of the blast radius. That is the risk profile of composable DeFi.

5. The Accountability Problem: Who Owns Risk in a Composable System?

The KelpDAO exploit creates a difficult accountability problem because each layer can point to another layer. LayerZero can argue that the incident was isolated to KelpDAO’s rsETH configuration and that applications are expected to configure stronger verification thresholds. KelpDAO can argue that it relied on LayerZero-operated verification infrastructure to accurately confirm cross-chain events. Aave can argue that it was not hacked and that it accepted an asset that appeared valid on-chain. All of those positions contain some truth.

The strongest interpretation is layered responsibility. The attacker is the direct wrongdoer. The LayerZero verification path appears to have produced the false verification that allowed the Ethereum-side bridge to release rsETH. KelpDAO’s single-verifier configuration made that bad verification sufficient. Aave and other downstream protocols did not cause the bridge failure, but they inherited the risk because they accepted the compromised asset as collateral. Read together, the public reports point to a shared risk graph rather than a single isolated failure.

This is why the legal and operational questions are more complicated than the technical root cause. If a verifier’s role is to determine whether a cross-chain event actually occurred, and it confirms an event that never happened, then the verifier failed at the function downstream contracts depended on. But if the application configured that verifier as the only required check for a high-value bridge route, then the application also accepted a single point of failure. The dispute is not just about who made the wrong move; it is about who owned the risk of that move.

The second- and third-order effects are even harder to assign. LayerZero did not list rsETH on Aave. KelpDAO did not force Aave to accept rsETH as collateral. Aave did not cause the bridge to release unbacked rsETH. Yet the loss traveled across all of them because DeFi products are designed to interoperate. That is the uncomfortable lesson: composability makes protocols more useful in normal conditions, but it also makes risk portable during failures.

For this article, the strongest conclusion is not “LayerZero is liable,” “KelpDAO is liable,” or “Aave is liable.” The stronger and more defensible conclusion is this: in composable DeFi, responsibility is layered, but risk is shared.

6. The Investigator’s Lens: Follow the Asset, Then Follow What Trusted It

For on-chain investigators, the KelpDAO exploit is a reminder that the first transaction rarely contains the full story. The exploit transaction explains how the rsETH left the bridge adapter. It does not explain why other protocols became exposed, why liquidity tightened, why emergency governance actions were needed, or why the event became a market-confidence problem. To understand that, investigators have to follow both the asset and the trust relationships around the asset.

The first layer is the exploit route: identify the source-chain claim, the destination-chain release, the bridge adapter, the verifier path, and the receiver wallet. The second layer is the credit route: determine where the released asset was deposited, what was borrowed against it, which markets accepted it, and whether the attacker used lending markets, bridges, DEX liquidity, or cross-chain transfers to extract value. The third layer is the dependency route: map every protocol that treated the compromised asset as valid collateral, liquidity, or backing.

For TRM, Qlue, or any graph-based workflow, the most useful visualization is not only a stolen-funds graph. It is a dependency graph. A clean incident graph should show the initial bridge release, the fan-out from the exploiter wallet, the Aave collateral positions, the borrowed WETH and wstETH flows, any Arbitrum-side movements, frozen or governance-controlled funds, and the protocols that changed risk parameters after the event.

Suggested graphic placement: Insert a TRM/Qlue graph after this section showing the flow from the Ethereum-side bridge release to Aave collateral positions and downstream borrowed assets.

The practical investigative lesson is simple: do not stop when the stolen asset moves. Ask what trusted it. In composable DeFi, the largest losses often appear downstream from the original failure, after a compromised asset is treated as collateral by systems that were not directly involved in the exploit.

On-chain Anchors

Source: Etherscan transaction page and Aave incident report.

Selected Aave Position Anchors

The following downstream positions are useful starting points for graphing the collateral route. Amounts are from Aave’s April 20 incident report and may have changed as interest accrued or as recovery actions progressed.

Further Reading

• Aave rsETH Incident Report — best source for block time, 1-of-1 verifier setup, affected Aave positions, freeze actions, and bad-debt scenarios.

• Chainalysis: Inside the KelpDAO Bridge Exploit — best plain-English technical explanation of the RPC poisoning and why the on-chain transaction looked valid.

• LayerZero KelpDAO Incident Statement — important for LayerZero’s position on single-DVN configuration, poisoned RPC infrastructure, and scope of impact.

• Galaxy Research: KelpDAO/LayerZero Exploit Drains $290M, Freezes DeFi Markets — strong source for the broader DeFi contagion and collateral-based cashout framing.

• Glassnode: Anatomy of a Liquidity Freeze — useful for explaining the Aave liquidity shock and confidence-driven withdrawal behavior.

• LayerZero Protocol Architecture — useful for explaining cross-chain messaging, application configuration, and X-of-Y-of-N verification.

• LayerZero DVN Overview — useful for defining Decentralized Verifier Networks.

• Etherscan Exploit Transaction — direct on-chain anchor for the 116,500 rsETH transfer.

References

1. Aave Governance — rsETH Incident Report (April 20, 2026)

   
   

   https://governance.aave.com/t/rseth-incident-report-april-20-2026/24580

2. Chainalysis — Inside the KelpDAO Bridge Exploit (April 23, 2026)

   
   

   https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/

3. LayerZero — KelpDAO Incident Statement (April 19, 2026)

   
   

   https://layerzero.network/blog/kelpdao-incident-statement

4. Galaxy Digital — KelpDAO/LayerZero Exploit Drains $290M (April 22, 2026)

   
   

   https://www.galaxy.com/insights/research/kelpdao-layerzero-exploit-defi

5. Glassnode — Anatomy of a Liquidity Freeze (April 27, 2026)

   
   

   https://insights.glassnode.com/anatomy-of-a-liquidity-freeze/

6. LayerZero — Protocol Architecture Documentation

   
   

   https://docs.layerzero.network/v2/concepts/layerzero-protocol-architecture

7. LayerZero — Decentralized Verifier Networks (DVN) Overview

   
   

   https://docs.layerzero.network/v2/workers/off-chain/dvn-overview

8. Etherscan — Transaction 0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222

   
   

   https://etherscan.io/tx/0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222