When a single misconfigured signature is all it takes to create $292 million in tokens from nothing, the entire premise of trustless finance looks a lot shakier than the name suggests.

How the Attack Worked

On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge - powered by LayerZero - to drain 116,500 rsETH tokens worth approximately $292 million. That's about 18% of rsETH's entire circulating supply, conjured out of a flaw that wasn't in LayerZero's protocol itself but in how Kelp had configured it.

The setup relied on a single verification point to authorize cross-chain messages. The attacker found it, exploited it, and a message went through that shouldn't have. "One signature and 116,500 rsETH materialized out of thin air on Ethereum," as researchers later described it. Those tokens were then used as collateral to borrow real assets - mostly from Aave - and drained before the protocol could pause.

Lazarus Group's Fingerprints

Within three days of the breach, blockchain analytics firm Chainalysis attributed the attack to North Korea's Lazarus Group, based on mixer usage patterns and fund-dispersal methods matching the group's known operational style. The attribution is consistent with Lazarus's track record of targeting DeFi protocols - they've been the most prolific on-chain thieves running for several years.

The scale of the loss makes it the largest DeFi exploit of 2026, overtaking the Drift hack by a few million dollars. Cumulative DeFi losses this year have now crossed $770 million across more than 30 incidents - a number that's difficult to spin as a maturing industry's growing pain.

DeFi Mounts a Rescue

What followed was, depending on your perspective, either a remarkable show of coordination or a reminder that the safety net in DeFi is entirely informal.

Aave convened a coalition called "DeFi United," pulling in Lido Finance, EtherFi, and other major protocols to put forward ETH to cover the shortfall left in Aave's lending pools. On April 21, Arbitrum's Network Security Council froze 30,766 ETH - roughly $71 million - belonging to the attacker, recovering about 25% of stolen assets. Standard Chartered published a note calling the sector's response a sign of resilience. The broader crypto community was less measured, with some declaring DeFi dead outright.

What Needs to Change

CoinDesk's post-mortem published Saturday points to cross-chain bridges as DeFi's most persistent weak link - a problem the industry has been aware of since the Wormhole and Ronin bridge exploits years earlier. The pattern is consistent: bridge complexity creates attack surfaces, and the incentives to ship quickly tend to outrun the incentives to audit carefully.

The most uncomfortable part of this incident is that it wasn't a sophisticated zero-day. It was a configuration mistake. LayerZero's infrastructure worked as designed - the problem was how Kelp deployed it. That's a much harder issue to address with audits alone, because it means any protocol using shared infrastructure needs to verify not just the code but every parameter governing how cross-chain messages are trusted and validated.

KelpDAO and Aave are still working through recovery. Lazarus Group, meanwhile, has an estimated $292 million in assets to launder. Some things in crypto move faster than others.

---------------

Author: Ryan Gardner
Silicon Valley News Desk

Another day, another DeFi protocol drained. Wasabi Protocol, a perpetuals trading platform operating across Ethereum, Base, Berachain, and Blast, lost between $4.5 million and $5.5 million on April 30 after an attacker compromised the deployer admin key and used it to systematically empty vault contracts across all four chains.

The attack was fast and methodical. Once the attacker had the admin key, they called grantRole on Wasabi's permission contract to give themselves full admin privileges with zero delay - no timelock, no waiting period. From there, according to The Block, they upgraded the protocol's perp vaults and Long Pool to malicious implementations that simply drained the balances.

What Got Hit

On Ethereum, the affected contracts included Wasabi's wWETH, sUSDC, wBITCON, wPEPE, and Long Pool vaults. On Base, the attack hit sUSDC, wWETH, sBTC, sVIRTUAL, sAERO, and sBRETT vaults. Berachain and Blast exposure added to the total loss.

Security firm Blockaid flagged the exploit as it was happening, which at least gave some users time to react - but the nature of an admin key compromise means there's very little the protocol itself can do once that key is in hostile hands. The attacker controlled the upgrade mechanism. They rewrote the contracts.

The Security Failure Is Embarrassingly Basic

This one stings because it's so preventable. The root cause wasn't a novel zero-day, a complex re-entrancy bug, or a subtle edge case in a cryptographic primitive. It was a single externally-owned account holding full ADMIN_ROLE in Wasabi's PerpManager with no multisig requirement, no timelock, and no governance process protecting that access.

That's table-stakes security for any protocol managing real user funds. Requiring multiple keys to sign a privileged action - or imposing a 24 or 48-hour delay before an upgrade takes effect - would have stopped this attack entirely. A timelock alone would have given users and security researchers time to notice the malicious transaction queued up and respond before it executed.

Wasabi isn't the first protocol to skip these protections and pay for it. It won't be the last. But the regularity with which centralized admin keys get compromised in DeFi - and the regularity with which the post-mortem reveals no multisig or timelock was ever in place - is genuinely hard to explain at this point in the industry's development.

Context: The Worst Month on Record

The Wasabi exploit landed at the tail end of April 2026, which closed as the worst month for crypto hacks since tracking began. DeFiLlama confirmed 30 separate incidents in April with total losses above $625 million - roughly one attack per day. Two incidents dominated: the Drift Protocol social-engineering theft (approximately $285 million) and the KelpDAO LayerZero bridge exploit ($292 million), both attributed by researchers to North Korea's Lazarus Group.

Wasabi's $5 million loss looks modest next to those numbers, but it's a useful reminder that the attack surface isn't limited to massive bridge contracts and well-funded protocols. Smaller perpetuals platforms with real user deposits and a single unprotected admin key are just as vulnerable - and the economic incentive to target them is real.

What Users Should Know

Wasabi Protocol paused the affected vaults and has posted about the incident on social channels. Users with open positions or deposits in the affected contracts should verify their status directly through official Wasabi channels and be skeptical of any recovery offers that arrive via DM - the fake refund scam that follows exploits is almost as reliable as the exploits themselves.

The broader lesson from April 2026 is one the industry keeps relearning: it doesn't matter how good the trading interface is, how competitive the fees are, or how much TVL a protocol has accumulated. If the admin key can drain everything in one transaction with no guardrails, eventually someone will get that key. Build accordingly.

---------------

Author: Alan Ward
Seattle News Desk

How North Korea Stole $292 Million From DeFi's Plumbing

DeFi had a rough week - and when I say rough, I mean "almost-existential-crisis" rough. On April 18, attackers later identified as North Korea's Lazarus Group exploited Kelp DAO's cross-chain bridge to drain 116,500 rsETH, worth approximately $292 million. Within 48 hours, the shockwave had erased more than $13 billion in total value locked across decentralized finance.

It is the largest DeFi exploit of 2026, and it exposed a vulnerability that the industry has been warned about for years.

What Actually Happened

The root of the exploit was embarrassingly simple in concept, even if technically sophisticated in execution. Kelp DAO's bridge relied on LayerZero for cross-chain messaging - but it was configured with a 1-of-1 verifier, meaning a single node was responsible for validating all cross-chain messages before funds could move.

Lazarus did not need to crack the verifier directly. Instead, the group compromised two remote procedure call (RPC) nodes that fed data to that verifier. With those nodes under their control, they injected fake cross-chain messages through LayerZero, tricking the bridge into releasing funds it never should have touched. according to CoinDesk, the stolen rsETH spread across more than 20 blockchain networks, making rapid containment nearly impossible.

The 1-of-1 setup is the critical failure point. A multi-validator configuration would have required the attacker to compromise multiple independent nodes simultaneously - a dramatically harder lift. Instead, a single point of failure collapsed under a well-funded nation-state hacking operation.

The Fallout: A Near-Death Experience for DeFi

Because rsETH served as collateral across protocols on multiple layer 2 networks, the damage did not stay contained to Kelp DAO. Aave, SparkLend, and Fluid moved quickly to freeze the asset, but not before the broader market reacted. Aave alone saw $8.45 billion in deposits exit over 48 hours.

The sector's total value locked dropped more than $13 billion in two days. Crypto.news reported that April 2026 is now the worst month for crypto hacks since the $1.4 billion Bybit breach in February 2025, with over $606 million lost across 18 days.

In a coordinated response, Aave founder Stani Kulechov joined forces with Lido Finance and EtherFi to propose covering the shortfall using ether reserves - an unusual display of cross-protocol cooperation that may have prevented a wider bad-debt cascade.

LayerZero has formally attributed the attack to TraderTraitor, the Lazarus sub-group responsible for some of the most lucrative crypto heists of recent years, including the Ronin Bridge exploit in 2022 and the Bybit exchange hack earlier this year.

What This Means for Bridge Security

If the Kelp DAO exploit proves anything, it's that crypto bridges remain the industry's most dangerous attack surface. Nearly every major protocol hack in recent memory has exploited the same basic problem: a cross-chain message that was trusted when it should not have been.

The fix is not complicated in theory. Multi-validator setups, decentralized RPC node networks, and independent security audits of bridge infrastructure would all raise the bar considerably. The challenge is that cutting corners on infrastructure often gets rationalized as a "move fast" decision - until a nation-state with unlimited patience decides to take advantage.

DeFi's recovery from this hack looks manageable. Aave's safety module held, protocols coordinated quickly, and no major platform appears to have collapsed. But the sector absorbed a $13 billion shock in 48 hours. The next bridge that runs a 1-of-1 verifier might not be so lucky.

---------------

Author: Ryan Gardner
Silicon Valley News Desk