Someone Forged a Single Message and Walked Away With $292 Million of Restaked ETH
One forged message. One weak validator config. $292 million gone in 46 minutes — and the wreckage is still spreading across 20 chains.
At 17:35 UTC on April 19, an attacker exploited Kelp DAO’s LayerZero-powered rsETH bridge and drained 116,500 rsETH — roughly 18% of the token’s entire circulating supply — worth approximately $292 million. It’s the largest DeFi exploit of 2026, surpassing the Drift Protocol hack from earlier this month.
The attacker didn’t break cryptography. They didn’t need to. They just forged a message.
How It Happened
Kelp DAO’s cross-chain rsETH bridge used LayerZero’s messaging infrastructure with a 1/1 DVN (Decentralized Verifier Network) configuration — the lowest security setting LayerZero allows. That means only a single validator signature was required to authorize any cross-chain message as legitimate.
The attacker exploited a vulnerability in the bridge’s lzReceive method, crafting forged cross-chain messages that instructed the contract to release rsETH without any corresponding tokens being burned on the source chain. The result: 116,500 rsETH materialized out of thin air on the receiving end, then vanished into the attacker’s wallet.
The attacker’s address was funded via Tornado Cash roughly 10 hours before the exploit — a clear sign this was premeditated.
Kelp’s emergency multisig froze contracts 46 minutes after the drain began. Two follow-up drain attempts at 18:26 and 18:28 UTC — each targeting another ~$100 million — were reverted. But the first wave was already gone.
The Contagion: Aave, Compound, Euler Hit
The attacker didn’t just pocket rsETH. They deployed it as collateral on Aave V3, Compound V3, and Euler to borrow real wETH — creating an estimated $280–290 million in bad debt across those protocols when rsETH’s market price collapsed on the news.
Aave immediately froze rsETH markets on both V3 and V4. AAVE governance token fell roughly 10% in the hours following the exploit. SparkLend, Fluid, and Upshift were also impacted by downstream rsETH exposure.
Wrapped ETH is now stranded across 20+ chains with no clear unwinding path while the investigation continues.
Kelp DAO posted on X:
“Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.”
Aave’s founder Stani Kulechov confirmed that Aave’s own contracts were not compromised — the bad debt originated from Kelp’s external exploit.
This Was Preventable
The core issue isn’t LayerZero itself — it’s that Kelp deployed production infrastructure with the weakest possible message verification setting.
A 1/1 DVN means a single compromised or forged validator signature is all it takes. Projects using cross-chain messaging at this scale should be running multi-validator DVN configurations with independent security providers, not single-point-of-failure setups. Multiple audits over the past year have flagged DVN misconfiguration as a systemic risk across LayerZero-integrated protocols.
The vulnerability in lzReceive wasn’t some exotic zero-day — it was a message authentication gap that a proper security review should catch. This is a bridge security basics failure.
Why This Matters for Crypto Jobs
A $292 million hack doesn’t just hurt token holders — it sends shockwaves through hiring across the entire restaking and cross-chain sector:
Security roles are about to explode. Every protocol with a LayerZero integration — and there are dozens — is now auditing their DVN configuration. Demand for smart contract auditors, bridge security specialists, and cross-chain protocol engineers will spike in the coming weeks as teams scramble to harden their messaging infrastructure.
Restaking took a credibility hit. EigenLayer, Symbiotic, and the broader liquid restaking ecosystem are already dealing with regulatory scrutiny. A $292M rsETH hack adds operational risk to the narrative, which may slow hiring at some restaking-adjacent startups while more established players double down on security investment.
DeFi protocol security teams are understaffed — and everyone knows it now. Aave, Compound, and Euler all had their risk management tested today through zero fault of their own. Expect these protocols to beef up risk parameter teams and real-time monitoring roles.
LayerZero ecosystem projects are on notice. Bridges, omnichain applications, and interoperability infrastructure teams will be reviewing their configurations. That review process needs people — security engineers, auditors, DevSecOps.
If you have a background in EVM security, cross-chain messaging, or DeFi risk modeling — your timing couldn’t be better. The industry needs you.
Looking for your next role in crypto security, DeFi, or Web3 infrastructure? Browse open positions at cryptogrind.com — the job board built for builders, not suits.
