LayerZero-based Kelp rsETH bridge attack analysis: detailed breakdown of $292 million loss
Key Event : On April 18, 2026, at 17:35 UTC, an attacker exploited the `lzReceive` function of the LayerZero EndpointV2 contract to extract 116,500 rsETH from the Kelp DAO's rsETH cross-chain bridge, worth approximately $292 million (at current market prices), representing 18% of the circulating supply of rsETH. This was Kelp's second security incident. The bridge is based on the LayerZero OFT (Omnichain Fungible Token) mechanism, and the attack exposed a potential vulnerability in the cross-chain bridge's verification logic. (TheBlock )
This attack occurred amidst a recent wave of DeFi attacks, raising concerns about the LayerZero ecosystem and the LRT (Liquid Restaking Token) protocol. AAVE's price subsequently fell by approximately 10% due to fears of bad debt. The situation is still developing; Kelp has not yet issued an official statement, but has urgently suspended core components of the protocol. TheBlock
Attack Timeline and Technical Details
The attack path is clear: the attacker's wallet mixed coins through a 1 ETH pool on Tornado Cash approximately 10 hours prior, a common DeFi attack obfuscation technique. Subsequently, the LayerZero bridge contract was invoked, forging a cross-chain message to release rsETH to the attack address. Blockchain detective ZachXBT first reported "$280M+ stolen" on Telegram. TheBlock
| Time (UTC) | event | detail | Transaction hash |
|---|---|---|---|
| 2026-04-18 ~07:35 | Attacker's funding preparation | Mixing coins with Tornado Cash | - |
| 2026-04-18 17:35 | First successful draw | Call lzReceive to release 116,500 rsETH | Etherscan |
| 2026-04-18 18:21 | Kelp suspended emergency | pauseAll multi-signature execution covers deposit pools, withdrawal contracts, oracles, and rsETH. | Etherscan |
| 2026-04-18 18:26/18:28 | Subsequent attacks failed. | Both attempts were rolled back. | Tx1 , Tx2 |
Technical Insight : The LayerZero OFT bridge allows rsETH to be transferred between 20+ chains including Ethereum and Arbitrum, but its verification logic is bypassed, leading to a large-scale release of tokens. This reflects a common pain point of cross-chain bridges: complex multi-chain consensus verification and vulnerability to forged message attacks. rsETH is currently priced at approximately $2,500, with a circulating supply of approximately 630,000 tokens. (CoinGecko )
Agreement Response and Immediate Impact
Kelp (KernelDAO's LRT product) reacted swiftly, suspending the core contract within 46 minutes to prevent further losses. The rsETH deployment network includes Base, Arbitrum, Linea, and Blast, and the attack could potentially impact liquidity across multiple chains.
Market chain reaction :
- AAVE price dropped 10%, suspected to be due to bad debts of rsETH being exposed on lending platforms. (TheBlock Aave Price)
- The price of rsETH briefly fluctuated to $2,500, with liquidity affected by the bridge suspension.
This event exacerbated DeFi Q1 losses: $168.6 million stolen from 34 protocols in the first three months of 2026. (Cointelegraph )
Background of the recent wave of DeFi attacks
The Kelp attack is not an isolated incident; at least 12 incidents since April highlight the vulnerability of the ecosystem. The Drift Protocol attack (April 1st, $280M) was suspected to be triggered by a social engineering attack by a North Korean APT group, followed by attacks on Hyperbridge (initially $237K, later fixed to $2.5M, a multi-chain bridge vulnerability), and others. (Cointelegraph )
| Agreement/Event | date | loss | Attack type |
|---|---|---|---|
| Drift Protocol | 2026-04-01 | $280M | Social engineering + price manipulation |
| Hyperbridge | 2026-04-13 | $2.5M (Revised) | MMR proof verification vulnerability, multi-chain (ETH/Base/Arb/BNB) |
| Rhea Finance | 2026-04-17 | $7.6M | Margin trading pool manipulation |
| Silo Finance | 2026-04-03 | $392K | Oracle configuration error |
| Dango | 2026-04-13 | $410K | smart contract bug |
Trend Analysis : Bridges/oracles remain high-risk areas; cross-chain complexity amplifies risks. North Korean groups are shifting towards AI social engineering; infrastructure like LayerZero requires strengthened verification layer auditing. TradingView
Kelp History: In April 2025, a bug in the fee contract led to the over-issuance of rsETH, but no funds were lost. This incident, however, constitutes a theft and exposes a security weakness in the LRT bridge.
Risk Assessment and Implications
| Risk factors | Severity | Details and impact |
|---|---|---|
| Cross-chain bridge verification | high | LayerZero OFT is vulnerable to fake news, affecting 18% of its supply and potentially causing multi-chain contagion. |
| LRT liquidity | high | rsETH multi-chain deployment, suspension may lead to TVL outflow, AAVE and other lending bad debt risks |
| attack wave | middle | From April 12th onwards, APT groups became active, and bridges/oracles became targets. |
| Recovery uncertainty | middle | Funds were traced to a CEX; Kelp has not issued an official statement, and recovery is expected to take several months. |
Why it matters : The cumulative losses from cross-chain bridges amount to billions, serving as a warning to LayerZero ecosystem users to be cautious when transferring assets. While LRT growth is rapid (TVL is surging), bridge security lags behind, potentially shifting the narrative towards "security first."
Data limitations : This report is based on news from 2026-04-18 19:18 UTC. The situation is still evolving, and there is no official Kelp postmortem or confirmed recovery plan. Further funding tracking/audit results will affect this assessment.
Conclusions and Outlook
The Kelp rsETH bridge attack, caused by a LayerZero verification vulnerability, resulted in $292 million in losses , heightening market vigilance regarding cross-chain infrastructure and coinciding with a peak in DeFi attacks. While the protocol quickly suspended operations to limit the damage, the interconnected risks associated with protocols like AAVE highlight the vulnerabilities of the interconnected ecosystem. Investors should monitor LayerZero updates, rsETH unsustainment, and fund recovery; the TVL (Total Value Limit) of bridges may cool down in the short term, but in the long term, cryptographic proofs and frequent audits are needed to improve security.
Action recommendations :
- Short term : Avoid affected LRT bridges and pay attention to AAVE bad debt exposure.
- In the medium to long term : Prioritize auditing fully-equipped cross-chain solutions; bridges remain a "high-risk, high-return" area.
- Tracking: Kelp/KernelDAO X update, ZachXBT Telegram news.
The incident emphasizes that DeFi innovation must be matched with security investment; otherwise, similar waves will repeat themselves. (TheBlock)