Executive Summary
On 18 April 2026, an attacker exploited a misconfiguration in KelpDAO’s LayerZero OFT bridge adapter to mint 116,500 rsETH without any underlying ETH backing. The attacker immediately used the counterfeit tokens as collateral on Aave, borrowing WETH and completing the largest single‑instance DeFi extraction recorded for 2026. KelpDAO and LayerZero have pledged thorough post‑mortems, while the core restaking contracts remain intact.
What Happened
At 17:35 UTC, the attacker submitted a forged lzReceive call to LayerZero’s EndpointV2 contract (0x1a44076050125825900e736c501f859c50fE728c). The call claimed to originate from source Endpoint ID 30320, but the underlying DVN contracts – both operated by LayerZero Labs – were configured to accept only a single verifier (requiredDVNCount = 1). This one‑of‑one setup allowed the attacker to spoof any source chain and mint rsETH directly on Ethereum mainnet.
The newly minted 116,500 rsETH, representing roughly 18 % of KelpDAO’s circulating supply, was deposited within minutes as collateral on Aave. Leveraging the inflated backing, the attacker borrowed a substantial amount of WETH. No attempt was made to sell the counterfeit rsETH on decentralized exchanges; the focus remained on extracting value through borrowing.
Within an hour, the operation eclipsed all other DeFi extractions recorded for the year, establishing a new benchmark for single‑transaction attacks on restaked assets.
Background / Context
KelpDAO issues rsETH – a restaked version of ETH that gains additional yield through EigenLayer delegations. While the protocol’s core contracts continue to be fully backed by legitimate user deposits, the bridge that moves rsETH across chains relies on LayerZero’s OFT adapter. The adapter’s verifier network (DVN) validates incoming cross‑chain messages. In this instance, both the sender‑side and receiver‑side DVN contracts (0x282b3386571f7f794450d5789911a9804fa346b4 and 0x589dedbd617e0cbcb916a9223f4d1300c294236b) were set to a single validator, creating a single point of failure.
LayerZero’s protocol itself remained uncompromised; the breach originated from KelpDAO’s bridge configuration, not from any flaw in the underlying messaging layer.
Reactions
KelpDAO issued a statement acknowledging the breach and confirming that the core restaking contracts are still fully collateralized. The DAO announced that it will publish a detailed post‑mortem, outlining the exact loss figures, any compensation plans for affected users, and potential token migration strategies.
LayerZero Labs also responded, emphasizing that the vulnerability lay in KelpDAO’s adapter settings rather than in LayerZero’s core code. The team pledged to work with KelpDAO to redesign the bridge configuration, recommending a multi‑DVN approach to eliminate single‑verifier risks.
What It Means
The incident highlights the systemic risk that arises when cross‑chain bridges rely on a solitary verifier. A multi‑DVN arrangement – such as a two‑of‑three or three‑of‑five scheme – would have required an attacker to compromise multiple independent networks, dramatically raising the attack’s complexity.
For the broader DeFi ecosystem, the hack serves as a cautionary tale about the importance of rigorous bridge audits and defensive configuration defaults. Restaking protocols, which promise additional yield on top of existing assets, must ensure that the mechanisms used to move those assets across chains are as robust as the underlying staking contracts.
What Happens Next
KelpDAO and LayerZero will release post‑mortem reports in the coming weeks. These documents are expected to detail the final bad‑debt numbers, outline any user compensation mechanisms, and describe planned changes to the OFT bridge adapter, likely moving to a multi‑verifier setup.
Stakeholders anticipate that the DAO may consider a token migration to a version of rsETH with enhanced bridge security, though no timeline has been set. In the meantime, the incident is expected to prompt other protocols that depend on LayerZero bridges to review their verifier configurations.