When a single misconfigured signature is all it takes to create $292 million in tokens from nothing, the entire premise of trustless finance looks a lot shakier than the name suggests.

How the Attack Worked

On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge - powered by LayerZero - to drain 116,500 rsETH tokens worth approximately $292 million. That's about 18% of rsETH's entire circulating supply, conjured out of a flaw that wasn't in LayerZero's protocol itself but in how Kelp had configured it.

The setup relied on a single verification point to authorize cross-chain messages. The attacker found it, exploited it, and a message went through that shouldn't have. "One signature and 116,500 rsETH materialized out of thin air on Ethereum," as researchers later described it. Those tokens were then used as collateral to borrow real assets - mostly from Aave - and drained before the protocol could pause.

Lazarus Group's Fingerprints

Within three days of the breach, blockchain analytics firm Chainalysis attributed the attack to North Korea's Lazarus Group, based on mixer usage patterns and fund-dispersal methods matching the group's known operational style. The attribution is consistent with Lazarus's track record of targeting DeFi protocols - they've been the most prolific on-chain thieves running for several years.

The scale of the loss makes it the largest DeFi exploit of 2026, overtaking the Drift hack by a few million dollars. Cumulative DeFi losses this year have now crossed $770 million across more than 30 incidents - a number that's difficult to spin as a maturing industry's growing pain.

DeFi Mounts a Rescue

What followed was, depending on your perspective, either a remarkable show of coordination or a reminder that the safety net in DeFi is entirely informal.

Aave convened a coalition called "DeFi United," pulling in Lido Finance, EtherFi, and other major protocols to put forward ETH to cover the shortfall left in Aave's lending pools. On April 21, Arbitrum's Network Security Council froze 30,766 ETH - roughly $71 million - belonging to the attacker, recovering about 25% of stolen assets. Standard Chartered published a note calling the sector's response a sign of resilience. The broader crypto community was less measured, with some declaring DeFi dead outright.

What Needs to Change

CoinDesk's post-mortem published Saturday points to cross-chain bridges as DeFi's most persistent weak link - a problem the industry has been aware of since the Wormhole and Ronin bridge exploits years earlier. The pattern is consistent: bridge complexity creates attack surfaces, and the incentives to ship quickly tend to outrun the incentives to audit carefully.

The most uncomfortable part of this incident is that it wasn't a sophisticated zero-day. It was a configuration mistake. LayerZero's infrastructure worked as designed - the problem was how Kelp deployed it. That's a much harder issue to address with audits alone, because it means any protocol using shared infrastructure needs to verify not just the code but every parameter governing how cross-chain messages are trusted and validated.

KelpDAO and Aave are still working through recovery. Lazarus Group, meanwhile, has an estimated $292 million in assets to launder. Some things in crypto move faster than others.

---------------

Author: Ryan Gardner
Silicon Valley News Desk

How North Korea Stole $292 Million From DeFi's Plumbing

DeFi had a rough week - and when I say rough, I mean "almost-existential-crisis" rough. On April 18, attackers later identified as North Korea's Lazarus Group exploited Kelp DAO's cross-chain bridge to drain 116,500 rsETH, worth approximately $292 million. Within 48 hours, the shockwave had erased more than $13 billion in total value locked across decentralized finance.

It is the largest DeFi exploit of 2026, and it exposed a vulnerability that the industry has been warned about for years.

What Actually Happened

The root of the exploit was embarrassingly simple in concept, even if technically sophisticated in execution. Kelp DAO's bridge relied on LayerZero for cross-chain messaging - but it was configured with a 1-of-1 verifier, meaning a single node was responsible for validating all cross-chain messages before funds could move.

Lazarus did not need to crack the verifier directly. Instead, the group compromised two remote procedure call (RPC) nodes that fed data to that verifier. With those nodes under their control, they injected fake cross-chain messages through LayerZero, tricking the bridge into releasing funds it never should have touched. according to CoinDesk, the stolen rsETH spread across more than 20 blockchain networks, making rapid containment nearly impossible.

The 1-of-1 setup is the critical failure point. A multi-validator configuration would have required the attacker to compromise multiple independent nodes simultaneously - a dramatically harder lift. Instead, a single point of failure collapsed under a well-funded nation-state hacking operation.

The Fallout: A Near-Death Experience for DeFi

Because rsETH served as collateral across protocols on multiple layer 2 networks, the damage did not stay contained to Kelp DAO. Aave, SparkLend, and Fluid moved quickly to freeze the asset, but not before the broader market reacted. Aave alone saw $8.45 billion in deposits exit over 48 hours.

The sector's total value locked dropped more than $13 billion in two days. Crypto.news reported that April 2026 is now the worst month for crypto hacks since the $1.4 billion Bybit breach in February 2025, with over $606 million lost across 18 days.

In a coordinated response, Aave founder Stani Kulechov joined forces with Lido Finance and EtherFi to propose covering the shortfall using ether reserves - an unusual display of cross-protocol cooperation that may have prevented a wider bad-debt cascade.

LayerZero has formally attributed the attack to TraderTraitor, the Lazarus sub-group responsible for some of the most lucrative crypto heists of recent years, including the Ronin Bridge exploit in 2022 and the Bybit exchange hack earlier this year.

What This Means for Bridge Security

If the Kelp DAO exploit proves anything, it's that crypto bridges remain the industry's most dangerous attack surface. Nearly every major protocol hack in recent memory has exploited the same basic problem: a cross-chain message that was trusted when it should not have been.

The fix is not complicated in theory. Multi-validator setups, decentralized RPC node networks, and independent security audits of bridge infrastructure would all raise the bar considerably. The challenge is that cutting corners on infrastructure often gets rationalized as a "move fast" decision - until a nation-state with unlimited patience decides to take advantage.

DeFi's recovery from this hack looks manageable. Aave's safety module held, protocols coordinated quickly, and no major platform appears to have collapsed. But the sector absorbed a $13 billion shock in 48 hours. The next bridge that runs a 1-of-1 verifier might not be so lucky.

---------------

Author: Ryan Gardner
Silicon Valley News Desk