$292M rsETH Hack Explained: How KelpDAO’s Risky Setup Triggered 2026’s Biggest DeFi Exploit

The crypto market was shaken after a massive exploit drained nearly $292 million worth of rsETH — a token issued by KelpDAO.

Surprisingly, no smart contracts were hacked. Instead, the attacker exploited a weak configuration in the cross-chain system powered by LayerZero.

Key Players Involved

• KelpDAO: A restaking protocol that lets users earn yield on ETH through rsETH
• LayerZero: A cross-chain bridge that moves assets between blockchains
• DVN (Decentralized Verifier Network): The system that verifies whether cross-chain messages are valid
• Aave: A major DeFi lending platform where rsETH was accepted as collateral

What Happened? (Simple Breakdown & LayerZero Statement)

The exploit didn’t involve breaking smart contracts — instead, it targeted the backend verification layer.

The attacker compromised key RPC servers used by LayerZero’s verifier network and disrupted the legitimate ones, allowing manipulated data to be processed. They then sent a fake cross-chain message claiming rsETH had been burned on another chain, triggering a release on Ethereum.

Because KelpDAO used a 1-of-1 DVN setup, the system relied on a single verifier — which approved the request. This resulted in 116,500 rsETH being minted and transferred to the attacker.

The attacker later used these tokens on Aave as collateral to borrow real ETH, leaving the protocol exposed to significant bad debt. This event also triggered massive capital outflows, as detailed in our Aave TVL collapse analysis following the KelpDAO exploit.

According to LayerZero’s official statement, the issue was not due to a flaw in its protocol, but rather KelpDAO’s configuration. The team noted that the incident was isolated to the single-verifier setup, preventing broader impact across other integrations.

Additionally, based on LayerZero’s report, preliminary indicators suggest the attack may be linked to a highly sophisticated state actor, likely DPRK’s Lazarus Group, specifically the subgroup known as TraderTraitor.

Why This Only Affected KelpDAO

LayerZero allows projects to customize their security — known as modular security.

• Most protocols use multi-verifier setups (2-of-3 or 3-of-5)
• This ensures one compromised verifier cannot approve fake transactions

However, KelpDAO used a 1-of-1 setup, meaning:

• Only one approval was required
• No backup validation existed

This decision ultimately made the exploit possible.

Impact on Aave

The damage extended beyond KelpDAO.

Because the attacker used fake rsETH on Aave:

• Aave froze rsETH-related markets
• The protocol now faces $200M+ in bad debt
• Panic withdrawals triggered sharp liquidity outflows
• The AAVE token dropped significantly

What’s Next?

This incident highlights several major risks:

• Collateral Risk: Over-reliance on external or bridged assets
• Systemic Risk: Issues in one protocol can impact others
• Security Trade-offs: Flexibility can introduce vulnerabilities

While both KelpDAO and LayerZero are working on fixes, rebuilding trust will take time.

Bottom Line

This is the largest DeFi exploit of 2026 so far, and it wasn’t caused by broken code — but by a risky security choice.

It serves as a strong reminder: In crypto, configuration matters as much as code

As DeFi grows more interconnected, even a single weak link can trigger widespread consequences.

Frequently Asked Questions (FAQ)

Written by

Nilesh Hembade

Nilesh Hembade is the Founder and Author of Coinsprobe, with 5+ years of experience in cryptocurrency and blockchain. Since launching the platform in 2023, he delivers daily, research-driven insights through market analysis, on-chain data, and technical research. His work has been featured on Binance, Bitget, and CoinMarketCap. He is also certified through Binance Academy (NFT Certificate).

›