Blog 4 min read

DeFi in Crisis: $290M Crypto Hack Raises Alarm Over Spreading Contagion in Blockchain Finance

DeFi Security Crisis
Written by
admin
Published on
Share
in x f

Summary: 

  • According to LayerZero, the North Korean hacker group Lazarus is likely responsible for the $292 million Kelp DAO exploit. 
  • On April 18, the Kelp DAO exploit triggered a $10 billion outflow from Aave because of concerns about potential bad debt on the protocol. 
  • The total value locked across the DeFi sector plunged by 7% in the past 24 hours to $86 billion. 

LayerZero publishes its findings about the Kelp DAO exploit. Their investigations linked the exploit to a North Korean cyber actor. On April 18, 2026, the LayerZero-powered cross-chain bridge Kelp DAO lost 116,500 rsETH tokens, valued at about $292 million, which makes this the largest DeFi exploit so far this year. 

​LayerZero wrote in the latest statement, “Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor.” 

​LayerZero also explained that the attacker gained access to the list of RPC nodes used by LayerZero Labs’ decentralized verified network (DVN), independent entities that verify cross-chain messages. 

Then they poisoned two of the RPC nodes, causing them to deliver a fake cross-chain message to the DVN. The attacker also launched a DDoS attack against the clean nodes to lead the DVN to rely on the positioned nodes. 

Kelp DAO’s Single Point Failure 

Kelp DAO used a single 1-of-1 DVN setup with no redundancy; the fake message sent to the DVN was accepted, allowing the bridge to unlock the token. LayerZero blamed Kelp DAO for choosing a single-DVN setup. 

“Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message,” the statement said. “LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration.”

​Moreover, the statement also assured that there is “zero contagion” to any other asset or application. 

​LayerZero also stated that the LayerZero Labs DVN is operational, and applications under a multi-DVN setup should feel confident to resume operations. The statement also added that from this time on, LayerZero will not be signing any messages from apps that use 1/1 DVN configuration. 

​Additionally, LayerZero is working with multiple law enforcement agencies to further investigate the matter and try to track down the stolen funds. 

Affect on Aave 

The attack on Kelp DAO has triggered a ripple effect across the entire sector, causing withdrawals from Aave, which also prompted emergency pauses on multiple protocols. 

The attacker moved the stolen tokens to Aave V3, where they used reETH as collateral to borrow substantial amounts of WETH, creating a bad debt on Aave. The protocol froze the rsETH markets on both V3 and V4 to contain the risk. 

​Aave Founder Stani Kulechov wrote on X, “RsETH has been frozen on Aave V3 and V4; the asset does not have any borrowing power as a measure due to the KelpDAO bridge exploit that happened outside of Aave. Both Aave V3 and V4 do not have further exposure to rsETH.” 

​Even after Aave’s swift measures, the platform recorded a significant outflow of funds. Above $10 billion worth of funds have moved out of Aave since the Kelp DAO exploit. The total supply plunged to $35.7 billion from $45.8 billion before the attack. 

​Marc Zeller, the founder of the Aave Chain Initiative, urged users to quickly withdraw WETH from the protocol, writing, “withdraw now, ask questions later.”

Structural vulnerabilities in DeFi 

The Kelp DAO attack has raised concerns about the security of dozens of DeFi protocols and prompted them to freeze their LayerZero OFT (omnichain fungible token) out of caution. It includes major protocols like Ethena, ether.fi, Tron DAO, Curve Finance, and others. 

​According to DefiLlama data, the total value locked in DeFi saw a decrease of 7% over the 24 hours after the attack. DeFi TVL is valued at around $86.3 billion, dropping from $99.5 billion on April 18. 

​Min Jung, associate researcher at Presto Research, said, “The Kelp DAO exploit is another reflection of structural vulnerabilities in DeFi, especially in cross-chain infrastructure and the irony of how concentrated critical security layers are. From a trust perspective, the timing, following incidents like Drift, is damaging, as users increasingly question whether low yields justify the risk of exploits.”

​The researcher also added that these attacks could further help tighten the risk management across DeFi and improve its architectural design. 

Also Read: Aave (AAVE) Price Prediction 2026–2030