#rsETH攻击事件后续进展 Kelp DAO’s rsETH cross-chain bridge theft is the largest DeFi security incident to date in 2026, resulting in approximately $292 million in asset losses.

The attack occurred around 17:35 UTC on April 18, 2026, when the hacker exploited a configuration vulnerability in Kelp DAO’s LayerZero-based cross-chain bridge (using a 1/1 decentralized validator node DVN setup). By forging cross-chain messages, they minted about 116,500 rsETH tokens on the Ethereum mainnet out of thin air, with no real assets backing them.

These “air assets” were quickly deposited as collateral into mainstream lending protocols such as Aave, Compound, and Euler, and they were used to borrow about $236 million in real WETH/ETH. Among them, Aave faces potential bad-debt risk of as much as $177 million to $196 million.

About 46 minutes after the incident, Kelp DAO urgently paused the rsETH contracts on the mainnet and multiple Layer 2 networks, preventing further attempts to attack. However, market panic spread rapidly: Aave’s TVL plummeted from $26.4 billion to $18.0 billion within 24 hours, a decline of 32%, and the AAVE token price also fell by about 18%.

The incident exposed systemic risks in the DeFi ecosystem of “cross-chain bridges + restaking derivatives.” A security gap in one link can propagate to multiple protocols through composability, creating a chain reaction. Although LayerZero recommends using at least a 2-of-3 DVN configuration, Kelp DAO still chose the extremely high-risk 1-of-1 single-point validation mode, which has been criticized as “protecting a bank vault with a single padlock.”

At present, Kelp DAO and LayerZero are disputing responsibility, while the hacker still holds ETH worth about $175 million on the Ethereum chain. $ETH ‌$BTC #Gate广场四月发帖挑战