KelpDAO exploit shows DeFi tokenization risk: $292m bridge theft cascades via collateral

The KelpDAO exploit hit a cross-chain bridge and drained about $292m worth of rsETH, described as one of the largest DeFi exploits of 2026 so far. On April 18, attackers exploited KelpDAO’s bridge and released 116,500 rsETH (~18% of circulating supply) despite no corresponding backing. The key trader-relevant issue is what happened next: within hours, the stolen (unbacked) rsETH was posted as collateral across major lending protocols. Aave appears to have been the most exposed, where attackers borrowed roughly $190m in WETH. Even though Aave was not hacked, its system accepted collateral that no longer matched what the market believed rsETH represented, leading to estimated bad debt of about $123.7m–$230.1m depending on loss allocation. Mechanically, the KelpDAO exploit focused on cross-chain infrastructure. rsETH is minted via EigenLayer restaking and moved through LayerZero messaging. The bridge relied on a 1-of-1 Decentralised Verifier Network setup; attackers compromised two RPC nodes to feed false transaction data and forced verifier failover to the poisoned sources. Kelp and LayerZero dispute responsibility, and LayerZero later said it would stop signing messages for single-verifier configurations. Broader market takeaway for tokenized assets: the KelpDAO exploit illustrates “composability contagion”. When a token still looks valid on-chain, integrations, oracles, and risk frameworks can propagate losses to venues that were never directly attacked. In the short term, this can raise risk premiums and reduce leverage willingness; longer term, it may accelerate stricter collateral and infrastructure redundancy requirements for DeFi and institutional tokenization.