When a single misconfigured signature is all it takes to create $292 million in tokens from nothing, the entire premise of trustless finance looks a lot shakier than the name suggests.
How the Attack Worked
On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge - powered by LayerZero - to drain 116,500 rsETH tokens worth approximately $292 million. That's about 18% of rsETH's entire circulating supply, conjured out of a flaw that wasn't in LayerZero's protocol itself but in how Kelp had configured it.
The setup relied on a single verification point to authorize cross-chain messages. The attacker found it, exploited it, and a message went through that shouldn't have. "One signature and 116,500 rsETH materialized out of thin air on Ethereum," as researchers later described it. Those tokens were then used as collateral to borrow real assets - mostly from Aave - and drained before the protocol could pause.
Lazarus Group's Fingerprints
Within three days of the breach, blockchain analytics firm Chainalysis attributed the attack to North Korea's Lazarus Group, based on mixer usage patterns and fund-dispersal methods matching the group's known operational style. The attribution is consistent with Lazarus's track record of targeting DeFi protocols - they've been the most prolific on-chain thieves running for several years.
The scale of the loss makes it the largest DeFi exploit of 2026, overtaking the Drift hack by a few million dollars. Cumulative DeFi losses this year have now crossed $770 million across more than 30 incidents - a number that's difficult to spin as a maturing industry's growing pain.
DeFi Mounts a Rescue
What followed was, depending on your perspective, either a remarkable show of coordination or a reminder that the safety net in DeFi is entirely informal.
Aave convened a coalition called "DeFi United," pulling in Lido Finance, EtherFi, and other major protocols to put forward ETH to cover the shortfall left in Aave's lending pools. On April 21, Arbitrum's Network Security Council froze 30,766 ETH - roughly $71 million - belonging to the attacker, recovering about 25% of stolen assets. Standard Chartered published a note calling the sector's response a sign of resilience. The broader crypto community was less measured, with some declaring DeFi dead outright.
What Needs to Change
CoinDesk's post-mortem published Saturday points to cross-chain bridges as DeFi's most persistent weak link - a problem the industry has been aware of since the Wormhole and Ronin bridge exploits years earlier. The pattern is consistent: bridge complexity creates attack surfaces, and the incentives to ship quickly tend to outrun the incentives to audit carefully.
The most uncomfortable part of this incident is that it wasn't a sophisticated zero-day. It was a configuration mistake. LayerZero's infrastructure worked as designed - the problem was how Kelp deployed it. That's a much harder issue to address with audits alone, because it means any protocol using shared infrastructure needs to verify not just the code but every parameter governing how cross-chain messages are trusted and validated.
KelpDAO and Aave are still working through recovery. Lazarus Group, meanwhile, has an estimated $292 million in assets to launder. Some things in crypto move faster than others.
---------------
Author: Ryan Gardner
Silicon Valley News Desk
![[BREAKING UPDATE – Trump just weighed in] – REPORT: Iran sends proposal to Trump, but he rejects it and here’s why…](https://therightscoop.com/wp-content/uploads/2026/04/trump-10-620x300.jpg)
Bengali (Bangladesh) · 
English (United States) ·