TGTGInsighttelegram intelligenceLIVE / telegram public index
← Top 7 Crypto | Analytics & Alpha
View original
Top 7 Crypto | Analytics & Alpha avatar

TGINSIGHT POST

Post #11952

@TOP7ICO

Top 7 Crypto | Analytics & Alpha

Views1,690Post view count
PostedApr 1904/19/2026, 07:52 AM
Post content

Post content

KelpDAO exploit: $292M minted through a 1-of-1 LayerZero bridge, $177M bad debt now lands on Aave Umbrella The biggest DeFi extraction of 2026 didn’t come from a contract bug. It came from a single line of config. At 17:35 UTC on April 18, an attacker pushed a forged lzReceive call through KelpDAO’s LayerZero OFT adapter and minted 116,500 unbacked rsETH- roughly 18% of supply, ~$292M. One transaction, one signature. Root cause: the rsETH adapter was running requiredDVNCount: 1 with LayerZero Labs as the sole verifier. A $1B+ TVL protocol secured its bridge with a single point of failure. Cashout was textbook. Instead of dumping into DEX liquidity, the attacker used the unbacked tokens as collateral: • Aave Ethereum: borrowed 52,834 WETH • Aave Arbitrum: 29,782 WETH + 821 wstETH • Smaller positions on Compound V3 and Euler before they froze Total borrowed out: $200M–$236M, first hops routed through Tornado Cash within 20 minutes. KelpDAO paused contracts in 46 minutes, but positions already open on third-party lenders can’t be unwound. Aave, SparkLend, Fluid, Ethena, Yearn, Pendle, Beefy, and Lombard all froze rsETH exposure within hours. Every bridged rsETH across ~20 L2s is now structurally impaired. Who actually pays the ~$177M bad debt: Aave Umbrella WETH stakers on Ethereum and Arbitrum. This is Umbrella’s first real-money slashing event - automated, pro-rata, no governance vote. Combined vaults hold ~$260M TVL, putting the slash ratio at 60–70%. Stakers farming a few extra points on top of aWETH are about to lose two-thirds of their position overnight. Bridged rsETH holders take tier 2 pain with a 15–20% haircut as KelpDAO keeps mainnet rsETH whole. The lesson repeats. Contracts worked. EigenLayer was fine. LayerZero’s protocol was fine. The fault sat in the config - the part of the stack auditors don’t review. Before you treat a bridged LRT as 1:1 with its mainnet version, check how many DVNs secure it. That’s the difference between a yield trade and a total loss.​​​​​​​​​​​​​​​​ Great report by @defiprime🔗defiprime.com/kelpdao-rseth-exploit Top 7 Ecosystem:Alpha| X | Aggregator