KelpDAO has become the latest DeFi project to face a major security crisis after a $290 million heist that investigators say is likely tied to North Korea’s Lazarus Group. The attack targeted rsETH, a restaked ether asset used across several protocols, and drained about 116,500 tokens in a matter of hours. What makes the incident alarming is that the exploit did not appear to rely on a typical smart-contract flaw. Instead, it seems to have abused the project’s cross-chain verification setup, showing how a vulnerability in infrastructure can be just as damaging as a bug in code.
According to the project’s public statement, KelpDAO detected suspicious cross-chain activity involving rsETH on April 18, 2026, and quickly paused rsETH contracts across Ethereum mainnet and Layer 2 networks. The team said it was working with LayerZero, Unichain, and other partners to investigate the breach and contain the damage. On-chain activity later showed that the stolen funds were moved through Tornado Cash, a common laundering route used to hide crypto theft.
LayerZero’s early findings suggest the attack was highly coordinated. Researchers believe the hackers compromised RPC nodes and then used a DDoS campaign to force the system into failing over to poisoned infrastructure, where fraudulent cross-chain messages could be accepted as legitimate. In other words, the attackers appear to have tricked the bridge layer into believing a transfer had been properly authorized. That design weakness, rather than the asset itself, seems to have opened the door to the theft.
The impact propagated quickly beyond KelpDAO. Because rsETH is accepted as collateral in lending markets, the exploit created risk for other DeFi platforms, including Compound, Euler, and Aave. Aave responded by freezing and blocking new deposits or borrowing using rsETH collateral. The wider market reaction highlights how one compromised bridge can ripple across multiple protocols, creating uncertainty far beyond the original target.
The KelpDAO incident is another reminder that DeFi security depends not only on smart-contract audits, but also on the trust assumptions behind cross-chain systems. As protocols grow more interconnected, attackers need only find one weak link to trigger losses on a massive scale. For users and developers alike, the lesson is clear: layered security, diversified verification, and conservative bridge design are no longer optional.
