A sophisticated cross-chain attack against DeFi protocol KelpDAO has led to the theft of approximately $290 million in rsETH tokens, making it one of the largest liquid restaking exploits to date. The incident, detected on 18 April 2026, disrupted major lending protocols including Aave, Compound and Euler and has raised renewed concerns about the security of cross-chain infrastructure and RPC (Remote Procedure Call) layers in decentralized finance.
What Are KelpDAO and rsETH, and Why This Exploit Matters
KelpDAO is a DeFi protocol focused on liquid restaking on Ethereum. Users deposit ETH, which is then restaked through underlying services, and in return receive a derivative token called rsETH. This token represents a claim on the restaked assets and can be used as collateral, deployed in yield farming strategies, or bridged across networks via cross-chain messaging frameworks such as LayerZero.
According to on-chain analytics, attackers withdrew roughly 116,500 rsETH, valued at about $292–293 million. This represents around 18% of the circulating rsETH supply (approximately 630,000 tokens, based on CoinGecko data). Because rsETH is deployed across more than 20 networks — including Base, Arbitrum, Mantle and Scroll — the compromise affects not only KelpDAO but also a broad ecosystem of DeFi applications integrated with liquid restaking tokens.
How the rsETH Cross-Chain Attack Unfolded
Compromising DVN Verification and RPC Nodes
The core of the exploit targeted the Decentralized Verification Network (DVN) responsible for validating cross-chain messages involving rsETH. Rather than exploiting a direct vulnerability in smart contracts, the attackers focused on the infrastructure layer, specifically the RPC endpoints that DVN relied on to read blockchain state.
Several RPC nodes were compromised or maliciously replaced, allowing the attackers to inject forged blockchain data. At the same time, a coordinated DDoS attack was launched against healthy RPC providers, degrading their availability. As a result, the DVN’s verification logic was forced to depend on “poisoned” data sources. This enabled the attackers to craft and “confirm” a fraudulent cross-chain message that the protocol treated as legitimate, authorizing the withdrawal of a large volume of rsETH without corresponding underlying assets.
Money Laundering via Tornado Cash Mixer
Following the unauthorized withdrawals, the attackers began obfuscating the trail of funds by routing stolen assets through the sanctioned privacy mixer Tornado Cash. Mixers pool funds from many users and redistribute them, making it significantly harder for blockchain analysts to link destination wallets to the original source of stolen cryptocurrency. Teams from LayerZero, Unichain, independent investigator ZachXBT and other on-chain researchers have begun tracing residual flows and potential consolidation addresses.
Attribution: Indicators Pointing Toward Lazarus and TraderTraitor
LayerZero’s preliminary assessment, based on indicators of compromise such as infrastructure patterns, wallet behavior, and specific operational techniques, suggests a likely link to North Korea–aligned Lazarus Group, particularly its TraderTraitor sub-unit. Public blockchain forensics and UN reporting have previously connected Lazarus to major breaches such as the Ronin Network and Harmony bridge attacks, which similarly combined infrastructure compromise, advanced social engineering and multi-stage laundering strategies.
In the KelpDAO case, experts emphasize that the exploit was isolated to rsETH and its cross-chain mechanism. Other smart contracts and assets within the broader ecosystem have not been shown to be directly compromised, reinforcing the conclusion that this was a targeted strike on the verification layer rather than a systemic failure of lending protocols like Aave or Compound.
DeFi Ecosystem Response: Emergency Measures by KelpDAO, Aave, Compound and Euler
Once abnormal rsETH activity was detected on 18 April 2026, KelpDAO and its partner projects swiftly paused rsETH contracts on Ethereum mainnet and multiple L2 networks. These emergency controls aimed to contain the attack’s impact and prevent further unauthorized movements of the derivative token while investigation and remediation plans were developed.
Aave reacted by freezing rsETH markets on its V3 and V4 deployments, blocking new deposits and loans secured by rsETH. Following the announcement, the AAVE governance token reportedly fell by around 10%. Aave’s team stressed that the vulnerability lies in rsETH’s cross-chain mechanics, not in Aave’s lending contracts themselves, and indicated that potential shortfalls would be assessed and mitigation options evaluated. For KelpDAO, this marks a second serious incident in two years, after an April 2025 commission contract bug led to temporary suspension of deposits and withdrawals due to excessive rsETH minting, further intensifying scrutiny on its security practices.
Key Cybersecurity Lessons: Cross-Chain and RPC Layers as Prime Attack Surfaces
The KelpDAO rsETH hack underscores that cross-chain infrastructure and RPC layers are currently among the highest-risk components in DeFi. Even rigorously audited smart contracts cannot compensate if verification networks depend on a small number of poorly secured data providers. For protocols using liquid restaking tokens and cross-chain bridges, it is critical to implement multi-layered validation: multiple independent data providers, cryptographic proofs of state, robust anomaly detection, and DDoS-resilient infrastructure.
Comprehensive security should extend beyond code audits to include infrastructure hardening, key management, monitoring and incident response. Real-world examples, from earlier bridge exploits to this latest rsETH case, show that attackers increasingly favor infrastructure compromise over on-chain vulnerabilities. For DeFi users, prudent measures include diversifying exposure across protocols and assets, limiting concentration in a single derivative token, following security advisories from integrated platforms, and periodically reassessing personal risk management strategies.
As liquid restaking and cross-chain interoperability continue to grow, the KelpDAO incident serves as a clear signal that DeFi must treat verification networks and RPC providers as critical security dependencies, investing in redundancy, transparency and continuous monitoring to reduce the likelihood and impact of the next large-scale exploit.
