Kelp DAO Hack — April 19, 2026 Post-Mortem (Aggregated)
The Incident
On April 19, 2026, a hacker drained roughly $293 million from Kelp DAO, marking the largest decentralized finance (DeFi) exploit of 2026. An attacker exploited Kelp DAO's LayerZero-powered bridge to drain 116,500 rsETH — about $292 million and roughly 18 percent of the token's circulating supply.
How the Attack Occurred
At 17:35 UTC on Sunday, an attacker targeted the communication system connecting blockchains known as LayerZero. By funding a wallet through Tornado Cash about 10 hours prior, the attacker successfully tricked LayerZero's EndpointV2 contract into believing a legitimate instruction had arrived from another network. This fake message prompted the Kelp bridge to release 116,500 rsETH directly to the attacker.
The Core Technical Issue
A "1/1 configuration" means only a single validator must sign off on a cross-chain message for the bridge to act on it, leaving the system with no second check to catch a compromised or forged instruction. A multi-validator configuration ensures there is no single point of failure that can approve a forged message on its own.
The Blame Dispute
A key point of contention emerged in the post-mortem analysis:
• LayerZero's post-mortem said KelpDAO chose a 1-of-1 DVN setup despite expressing recommendations to configure multi-DVN redundancy.
• However, LayerZero's own quickstart guide and default GitHub configuration point to a 1/1 DVN setup, with 40% of protocols on LayerZero currently using the same configuration.
Ripple Effects
Because the bridge held reserves backing rsETH on more than 20 networks, the loss raised doubts about the backing of rsETH on layer 2s and sparked a wave of market freezes by protocols including Aave, SparkLend and Fluid.