A major DeFi crisis unfolded on April 18 after KelpDAO suffered an exploit tied to its LayerZero-powered rsETH bridge setup. What began as suspicious cross-chain activity quickly escalated into one of the biggest liquidity stress events of the year, with the attacker reportedly minting 116,500 rsETH without backing, posting it as collateral on Aave V3, & borrowing roughly $236 million in WETH.

The incident rapidly moved beyond KelpDAO itself. Emergency measures spread across lending protocols as teams rushed to contain the fallout. Aave paused rsETH markets & WETH reserves across multiple chains, SparkLend & other protocols halted certain operations, & users began pulling funds from DeFi lending venues out of fear that deeper hidden exposures could still emerge. Within hours, the event had turned into a broad confidence crisis rather than a single protocol exploit.

• How the Exploit Unfolded
• Market Fallout Across DeFi
• What the Incident Reveals About Cross-Chain Risk

How the Exploit Unfolded

According to the incident narrative shared across the ecosystem, the attacker exploited KelpDAO’s cross-chain rsETH setup to create unbacked rsETH. That alone would have been serious, but the real damage came from what happened next. Instead of dumping the unbacked asset directly into the market, the attacker used it in a more capital-efficient way by depositing it into Aave V3 as collateral.

This turned the exploit from a bridge integrity problem into a full lending crisis. Once the fraudulent rsETH was accepted as collateral, the attacker was reportedly able to borrow around $236 million in WETH. At that point, the issue was no longer just about fake token supply. Real & highly liquid capital had already been extracted from one of DeFi’s most important money markets.

The mechanics of the exploit highlight why cross-chain messaging systems remain such high-risk infrastructure. If an attacker can manipulate the verification path that determines whether a cross-chain message is valid, they can effectively create assets that appear legitimate to the rest of the ecosystem. Other protocols do not independently verify the entire history behind every bridged asset. They rely on the issuer, the bridge, & the associated security model to be sound. When that trust assumption fails, the impact cascades.

LayerZero later said the incident was isolated to KelpDAO’s rsETH configuration & tied to a single-DVN setup rather than a broader failure of the LayerZero protocol itself. That point is important because it frames the exploit as one caused by how the integration was configured, not by a universal compromise of the interoperability layer. Still, from a market perspective, users care less about where the technical blame sits & more about whether the asset they interact with can still be trusted. Once that confidence is damaged, nuance matters less than speed.

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.

We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.

We will keep you…— Kelp (@KelpDAO) April 18, 2026

Market Fallout Across DeFi

Aave became the central containment zone because it was the protocol where the unbacked rsETH had been turned into borrowed WETH. Faced with the risk of further extraction, bad debt, & contagion, Aave moved to pause rsETH markets & WETH reserves across multiple chains. This was a defensive move meant to limit the blast radius, but it also sent a clear signal to the market that the situation was serious enough to justify emergency controls.

That signal helped trigger what many described as a bank-run-like response across DeFi. Users did not wait for complete technical reports or governance discussions. They began withdrawing funds from protocols simply because uncertainty itself had become the biggest risk. In highly composable systems, users know that hidden exposures can sit beneath apparently healthy markets. If an unbacked bridged asset was already used to borrow hundreds of millions in blue-chip liquidity, then every connected venue suddenly looked worth re-evaluating.

As a result, total value locked across affected ecosystems reportedly fell by around $5 billion to $6 billion. This drop was not driven only by direct loss. It reflected a broad collapse in short-term confidence. When users stop trusting that collateral is sound, they do not just avoid the affected token. They reduce exposure to lending markets, leveraged positions, yield strategies, & any venue that might be indirectly connected.

The market reaction also gained more attention after Justin Sun reportedly withdrew funds during the panic & later offered to negotiate directly with the attacker for a return of assets. That added a familiar DeFi pattern to the crisis, where technical response, reputational pressure, law enforcement coordination, bounty-like discussions, & public negotiation all become part of the post-exploit playbook. But the need for such measures only reinforced the deeper problem: once the exploit had already succeeded, recovery became a separate battle entirely.

https://t.co/3vIHs3Xgs4— LayerZero (@LayerZero_Core) April 20, 2026