#rsETH攻击事件后续进展 Kelp DAO's rsETH cross-chain bridge theft is the largest DeFi security incident to date in 2026, resulting in approximately $292 million in asset losses.

The attack occurred around 17:35 UTC on April 18, 2026, when hackers exploited a configuration vulnerability in Kelp DAO's LayerZero-based cross-chain bridge (which uses a 1/1 decentralized verification node DVN setup), forging cross-chain messages to mint about 116.5k rsETH tokens on the Ethereum mainnet without backing assets.

These "air" assets were quickly deposited into major lending protocols like Aave, Compound, and Euler as collateral, borrowing approximately $236 million in real WETH/ETH, with Aave facing potential bad debt risks of up to $177 million to $196 million.

Kelp DAO urgently paused the rsETH contracts on the mainnet and multiple Layer2 networks about 46 minutes after the incident, preventing further attack attempts. However, market panic quickly spread, with Aave's TVL plummeting from $26.4 billion to $18 billion within 24 hours—a 32% drop—and the AAVE token price falling about 18%.

This incident exposes systemic risks in the DeFi ecosystem involving "cross-chain bridges + re-staking derivatives": a security flaw in one link can propagate through composability to multiple protocols, causing chain reactions. Although LayerZero recommends using at least a 2-of-3 DVN configuration, Kelp DAO chose a highly risky 1-of-1 single-point validation mode, criticized as "protecting a bank vault with a single padlock."

Currently, Kelp DAO and LayerZero are disputing responsibility, while the hacker still holds about $175 million worth of ETH on the Ethereum chain. $ETH