$292 Million: A Deep Dive into the KelpDAO Cross-ChainMessage Forgery Incident — Post-Mortem of the Largest DeFi Security Crisis in 2026

• Incident Date: April 19, 2026
• Target: KelpDAO
• Target Overview: KelpDAO is a leading Liquid Restaking Token (LRT) protocol within the Ethereum ecosystem, with rsETH as its flagship product. Prior to the incident, its managed ETH LRT Total Value Locked (TVL) exceeded $1.07 billion. rsETH is deployed across more than 20 chains leveraging LayerZero’s OFT (Omnichain Fungible Token) bridge.
• Total Loss: ~$292,000,000
• Attack Vector: Cross-chain message forgery

---

Incident Review & Technical Details

1. Attack Path

1. Laundering Prep: The attacker utilized Tornado Cash to disperse funds into multiple attack wallets, effectively obfuscating the source of the initial exploit capital.
2. The Critical Strike (Message Forgery): The attacker invoked the lzReceive function on LayerZero’s EndpointV2 contract, successfully forging a cross-chain message that bypassed the message verification layer. This forged instruction triggered the KelpDAO bridge contract to release reserves (116,500 rsETH, valued at ~$292M) to attacker-controlled addresses.
3. Lending Liquidation (Secondary Exploit): After stealing the rsETH (which now lacked underlying backing), the attacker exploited the latency in protocol oracle price feeds. By depositing the assets into Aave V3, Compound V3, and Euler as collateral, they borrowed over $236M in legitimate WETH. These funds were then rapidly laundered through Tornado Cash.
4. Emergency Pause: The KelpDAO multisig performed an emergency freeze of core contracts, successfully thwarting two subsequent attack waves (totaling ~$200M). However, the 46-minute window prior to the freeze resulted in the formation of significant bad debt.

2. Impact Scope

• Protocol-Level Loss: KelpDAO lost $292 million worth of rsETH reserves, marking it the largest DeFi hack of 2026 to date.
• Lending Ecosystem Bad Debt: Aave’s WETH pool is burdened with approximately $177 million in bad debt. Utilization rates spiked to 100%, triggering a bank run. The AAVE multisig has since frozen all rsETH markets; the AAVE token dropped 10%–13% following the news.
• Multi-chain Ecosystem Crisis: Wrapped rsETH on over 20 Layer 2 networks (including Arbitrum, Base, and Scroll) has lost its underlying mainnet backing, facing extreme liquidity gaps and the risk of panic redemptions.

3. Official Statements

• KelpDAO: An official statement confirmed that suspicious cross-chain activity was identified, leading to the full suspension of rsETH contracts on the mainnet and multiple L2s.
• Aave (Stani Kulechov): The founder stated that Aave’s smart contracts remain secure and uncompromised; the bad debt crisis stems entirely from the loss of value in the collateral asset (rsETH).

4. Investigation Progress

• Given that the stolen funds were rapidly laundered and transferred via Tornado Cash, the probability of asset recovery remains low.

---

AUTOSEC.DEV Solution: Building a 360-Degree Defense

To counter hybrid attacks involving "Web2 Breach + Web3 Monetization," AUTOSEC.DEV provides comprehensive protection from code to personnel:

1. Team OPSEC (Operations Security) Audit & Hardening: We provide enterprise-grade security training and configuration for core Web3 team members. We assist teams in deploying security hardware and risk detection software to increase the difficulty of social engineering attacks, while auditing password management protocols and device security policies.
2. End-to-End Incident Response (IR): In an emergency, every second of confusion amplifies the loss. AUTOSEC.DEV provides standardized SOPs (Standard Operating Procedures) and rapid response services tailored to specific business needs to help projects mitigate losses quickly.

Service Content

• AUTOSEC.DEV - Security Awareness Training
• AUTOSEC.DEV - Incident Response Service
• AUTOSEC.DEV - Security Strategy & Planning

---

Reference

https://x.com/KelpDAO/status/2045595819035046148