By Isaac • April 18, 2026 9:17 pm •
If you needed a reminder that DeFi still has serious security holes, here it is. Kelp DAO, the Ethereum-based liquid restaking protocol, just got absolutely gutted in what is now the single largest crypto exploit of 2026. Hackers drained roughly $292 million worth of rsETH tokens by exploiting a vulnerability in Kelp’s LayerZero-powered cross-chain bridge.
That number is not a typo. Nearly $300 million, gone in a single transaction. And the fallout is still rippling through the entire Ethereum DeFi ecosystem tonight.
The attack hit at approximately 5:35 PM UTC on Saturday, April 18. The attacker manipulated LayerZero’s cross-chain messaging verification system, essentially tricking it into believing a legitimate transfer request had arrived from another blockchain.
Continue reading
Join the conversation!
Please share your thoughts about this article below. We value your opinions, and would love to see you add to the discussion!