DeFi’s latest shock is not just the roughly $290 million to $292 million drained from KelpDAO on April 18, 2026. It is the mechanism. Early incident reports tied the exploit to compromised cross-chain verification infrastructure, and LayerZero said on April 20, 2026 that preliminary indicators pointed to North Korea’s Lazarus Group, specifically the TraderTraitor cluster. That matters because the market damage spread far beyond one protocol, hitting Aave liquidity, sector-wide TVL, and confidence in bridged collateral models.
Last Updated: April 20, 2026, 16:45 UTC
Incident Size: $290M-$292M equivalent (reported range, refreshed 16:45 UTC)
Exploit Date: April 18, 2026 | Asset Reported Drained: 116,500 rsETH
Sector Impact: DeFi TVL down to $86.286B from $99.497B within 48 hours
Losses Top $290M as DeFi TVL Drops $13.21B in 48 Hours
The numbers are ugly. KelpDAO’s exploit was reported at about $290 million by Phemex News and The Defiant, while other outlets put the figure at $292 million or $294 million as token pricing shifted across the day on April 20, 2026. That narrow range is normal in fast-moving exploit coverage, but the lower-bound and upper-bound still place it among the largest DeFi breaches of the year. More important, the attack appears to have removed 116,500 rsETH from the system, a figure repeated across multiple reports published between 10:29 UTC and 15:21 UTC on April 20.
Then came contagion. DefiLlama-tracked DeFi TVL fell from $99.497 billion to $86.286 billion in the 48 hours after the April 18 exploit, a decline of $13.21 billion, according to figures cited in market coverage updated on April 20, 2026. That is a 13.28% drop by calculation. Another widely cited snapshot showed a 7% sector decline over 24 hours, which fits the broader two-day drawdown once the second wave of withdrawals is included. In plain English: the market did not treat this as an isolated bridge failure. It priced in systemic collateral risk.
Derived Metrics Analysis
| Calculated Metric | Current Value | Reference Value | Deviation | Signal |
|---|---|---|---|---|
| Kelp Loss / DeFi TVL Pre-Shock | 0.29% | $292M / $99.497B | Low direct, high indirect | Contagion exceeded principal loss |
| TVL Contagion Multiplier | 45.24x | $13.21B / $292M | Extreme | Confidence crisis, not just theft |
| Aave Bad Debt / Exploit Size | 80.82% | $236M / $292M | Very high | Collateral plumbing failure |
| Drained rsETH / Circulating Supply | 18.49% | 116,500 / 630,000 | Concentrated shock | Supply integrity event |
Methodology: Calculations use reported figures published on April 20, 2026 from LayerZero-linked coverage, DefiLlama-cited TVL snapshots, and market reports on Aave exposure. Percentages are derived from the reported ranges available at 16:45 UTC on April 20, 2026.
BAD MORNING: $293M Kelp DAO Hack: Biggest DeFi Exploit of 2026
What Happened
Kelp DAO's (@KelpDAO) rsETH bridge was exploited through LayerZero.
➡️ 116,500 rsETH drained (~$293M in minutes)
➡️ 18% of rsETH's total supply, gone
➡️ Main drain tx hit the lzReceive function on… pic.twitter.com/Y6whCtLr4b— Crypto Patel (@CryptoPatel) April 19, 2026
That contagion multiplier, 45.24 times the reported exploit size, is the angle many headlines missed. Competitor coverage focused on the Lazarus attribution and the dollar loss. The more important takeaway is structural: a sub-0.3% hit to pre-shock DeFi TVL triggered a double-digit sector drawdown because the market no longer trusts wrapped collateral once verification assumptions break.
Why the Alleged RPC Compromise Triggered a Much Bigger Liquidity Shock
Here is where the story gets more serious. The Defiant reported on April 20, 2026 that the exploit involved compromised LayerZero RPC nodes feeding data to a verifier, while Coin360-cited reporting said LayerZero described a sophisticated attack engineered to poison downstream RPC infrastructure by compromising a quorum relied on for transaction verification. If that framing holds, this was not a simple smart-contract bug. It was an infrastructure trust failure.
[Embedded media — view the full article to watch]
Event Sequence: April 18-20, 2026
April 18, 17:35 UTC: Attackers reportedly exploit KelpDAO’s LayerZero-linked bridge path and begin draining rsETH. (market reports cited in public coverage)
April 19, 20:41 UTC: Reports cite panic-driven withdrawals across DeFi lending markets as TVL erosion spreads beyond directly exposed protocols. (BingX/BlockBeats coverage)
April 20, 10:29 UTC: LayerZero-linked coverage says preliminary indicators point to Lazarus Group involvement. (Yahoo/Cryptonews syndication)
April 20, 15:21 UTC: Additional market coverage reiterates an estimated $290M loss and advanced RPC attack claims. (BingX/Wu Blockchain coverage)
I’ve tracked DeFi exploit cascades since the bridge failures of 2022, and this pattern is familiar in one way and different in another. Familiar because once users suspect collateral is synthetic or unbacked, they run first and ask questions later. Different because the alleged weak point was not just token logic. It was message verification. That distinction matters because dozens of protocols depend on middleware, oracle pathways, relayers, and RPC assumptions they do not fully control.
Aave Hits 100% WETH Utilization While Sector Confidence Breaks First
The sharpest secondary stress showed up on Aave. Multiple April 19-20 reports said the attacker deposited unbacked rsETH into Aave V3 and borrowed about $236 million in WETH against it. That pushed Aave’s WETH pool to 100% utilization, effectively freezing normal withdrawal flexibility for suppliers. One report put Aave outflows above $5.4 billion and another said Aave TVL fell from roughly $26.4 billion to about $17.52 billion or $17.7 billion in two days. Even allowing for timestamp differences, that is a decline of about $8.7 billion to $8.9 billion.
Kelp DAO hackeada em U$292M.
O vetor de ataque parece ter sido uma bridge da Layer Zero entre Unichain -> Ethereum.
Ao que aparenta, as transações eram validadas por um validador da Layer Zero (DVN) e ele pode ter sido comprometido.
Assim, o hacker conseguiu mandar um… https://t.co/XfO4D4OIOn
— guiriba.eth (@guiriba) April 18, 2026
Short sentence. This is the real crisis. DeFi did not just lose funds; it lost liquidity mobility. When a core lending venue hits full utilization in a flagship asset pool, users across unrelated markets start reassessing every derivative token they hold. That’s why the KelpDAO event looks less like a one-off exploit and more like a stress test for shared-pool lending built on rehypothecated staking assets.
⚠️
Systemic Risk Alert: Aave Exposure Reached Roughly $236M
Public reports published on April 20, 2026 said the attacker used unbacked rsETH as collateral on Aave V3 and borrowed about $236 million in WETH, pushing the WETH pool to 100% utilization. With DeFi TVL down $13.21 billion in 48 hours, the market response suggests users are pricing counterparty and collateral-chain risk across the sector, not just at KelpDAO.
Another overlooked detail is scale concentration. One report said the drained 116,500 rsETH represented about 18% of rsETH’s 630,000 circulating supply. By calculation, that is 18.49%. Once nearly a fifth of a liquid restaking asset’s reported supply is implicated in an exploit narrative, every venue accepting that token or its wrappers has to reprice risk immediately.
Can DeFi Contain the Damage if Lazarus-Style Infiltration Claims Spread?
That depends on whether the market sees KelpDAO as an isolated configuration failure or the first visible symptom of a broader operational-security problem. April 2026 has already become the worst month for crypto hacks since February 2025, with reported losses of $606.2 million across 12 incidents, according to market coverage published on April 20. KelpDAO alone accounts for nearly half that monthly total by calculation, between 47.8% and 48.2% depending on whether one uses the $290 million or $292 million estimate.
Data Verification: The exploit size was cross-reported at $290M, $292M, and $294M in coverage published on April 20, 2026. The drained token amount of 116,500 rsETH appeared consistently across multiple reports. DeFi TVL decline figures of 7% in 24 hours and $13.21B over 48 hours are directionally consistent once timestamp differences are accounted for.
If LayerZero’s preliminary attribution to Lazarus or TraderTraitor is confirmed by forensic firms or law enforcement, the significance goes beyond one protocol. It would suggest state-linked actors are not merely exploiting code. They are targeting the human and infrastructure layers around DeFi verification. That’s harder to patch, slower to detect, and much more dangerous for protocols that market themselves as decentralized while depending on narrow operational trust assumptions.
Frequently Asked Questions
What happened in the KelpDAO exploit?
Public reports say attackers drained about 116,500 rsETH on April 18, 2026, with estimated losses ranging from $290 million to $294 million depending on pricing snapshots. Several reports published on April 20 said the exploit involved KelpDAO’s LayerZero-linked bridge path and may have relied on compromised verification or RPC infrastructure.
Why is Lazarus Group being mentioned?
LayerZero-linked coverage published at 10:29 UTC on April 20, 2026 said preliminary indicators pointed to North Korea’s Lazarus Group, specifically the TraderTraitor subgroup. That attribution remains an early claim in public reporting, but it is significant because Lazarus has been linked by authorities to prior large crypto thefts.
Why did the KelpDAO incident hurt Aave and the wider DeFi market?
Reports say the attacker used unbacked rsETH as collateral on Aave V3 and borrowed about $236 million in WETH, pushing Aave’s WETH pool to 100% utilization. At the same time, DeFi TVL reportedly fell from $99.497 billion to $86.286 billion in 48 hours, showing that users pulled liquidity across the sector, not only from directly exposed protocols.
How large was the broader market impact?
Based on DefiLlama-cited figures in April 20 coverage, DeFi lost $13.21 billion in TVL over 48 hours, a 13.28% decline. Aave alone reportedly saw TVL fall by roughly $8.7 billion to $8.9 billion over two days, while some reports said its token dropped about 17.7% to 20% on April 19 as fear spread.
Could more protocols face similar problems?
Yes, if the root issue involves verification infrastructure rather than a single contract bug. Protocols that accept bridged, wrapped, or restaked assets depend on assumptions about message validity, collateral backing, and liquidation pathways. The KelpDAO case shows how quickly those assumptions can fail across multiple venues once confidence breaks.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency investments carry significant risk, including the possibility of total loss. Always conduct your own research and consult a qualified financial advisor before making investment decisions.