Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The April 18, 2026 Kelp DAO protocol exploit, where attackers created 116,500 unstable rsETH tokens through the injection of a single LayerZero verification node, has resulted in a loss of more than $600 million in the DeFi sector in recent weeks, with cumulative losses approaching $1 billion.
The results of this are now visible through the Internet; The total closed value (TVL) across the financial sector (DeFi) has fallen the most in twelve months, according to DefiLlama data, while the main plane across the lending, leasing, and transit bridges is on the rise.
The key question raised by this incident is not whether the Kelp DAO failed – systematically it failed – but whether a single verified default node exposed a systemic weakness inherent in its DeFi architecture.
Highlights:
- All DeFi losses: About $ 1 billion in recent weeks, and more than $ 600 million was directly caused by the risk of the Kelp DAO and its consequences.
- Size of Kelp DAO: 116,500 unbacked rsETH tokens – about 18% of the circulating supply – were generated via a compromised DVN node on LayerZero; Without violating intellectual property rights.
- TVL Results: Total funds closed in DeFi have reached their lowest point in a year after $13 billion was withdrawn within 48 hours of use.
- Protocols involved: Aave, SparkLend and Fluid platforms have five rsETH markets; The closed value of Aave dropped from $26.4 billion to about $18 billion – the biggest loss for a single protocol.
- Identification: LayerZero named North Korea’s Lazarus Group – specifically the TraderTraitor section – as the culprit; This has not yet been officially confirmed.
- Highlights: The upcoming report of Kelp DAO and Aave’s bad debt recovery on the tainted rsETH collateral are two indicators that will determine whether the disease will stabilize or worsen.
How a single verification node blew up $600 million in DeFi
This failure was permanent rather than incipient, and this distinction is important for evaluating all DeFi devices. Kelp DAO’s rsETH bridge relied on a one-way Decentralized Verification Network (DVN) to verify LayerZero messages, a 1-1 configuration that security firm Halborn had warned about in previous warnings.
The attackers, identified by LayerZero as Lazarus’ Traitor’s TraderTraitor group, compromised two RPC nodes that feed information to the verifiers, launched a DDoS attack against the backup to force the system to migrate to them, and then injected a fraudulent message that generated 116,500 rsETH without any collateral.
The stolen rsETH tokens moved quickly; Online data shows that the attacker exchanged them for ETH and Arbitrum using loans through Aave, SparkLend, and Fluid, and Tornado Cash used to cover gas fees. The malware also removed itself from the compromised RPC environment after the attack, deliberately erasing history.
Losses quickly piled up, as rsETH-backed tokens created bad debt in lending markets that accepted rsETH as collateral without adequate proof of its support, which Halborn described as an “echo chamber” of fake news. Allium, in its immediate post-accident analysis, noted this “The equipment worked the way it was designed, but the way it was designed didn’t work.”.
This is not just writing; It means that the exploit did not require a zero-day threat, but only a malicious change that was documented and warned in advance. Single-failure authentication architectures are now documented attacks, and Kelp DAO will not be the last protocol to rely on them.
Lock-up rate at lowest annual rate: What does the pilot data mean?
The total closed value (TVL) in DeFi had already decreased during Q1 2026 under the severe financial crisis, but the use of Kelp DAO continued the decrease to a much lower level. DefiLlama data shows $13 billion from TVL in 48 hours after the attack of April 18, a speed that surprised protocols such as Compound that had no direct exposure to rsETH but were involved in the removal of infections.
The loss figures in private policies were widely known; Aave’s closing price dropped from $26.4 billion to about $18 billion after the plan halted rsETH markets, a $8.45 billion drop driven by users looking to reduce risk before bad debts could pile up.
Aave’s risk group is now creating two bad credit scenarios based on the return rates of rsETH tokens that were used as collateral for loans before the markets stopped.
This TVL integration provides two future scenarios; If the exit is stable and Kelp publishes a reliable legal report and payment method, the current level may be the disease it has. If Aave’s bad debt reflects product losses and LayerZero’s upgrade continues in Q2, expect a second decline in TVL as yield-seekers move away from protocols and into non-consolidated alternatives.
The calculation of tokens of authority is already high prices as an initial item, since the AAVE token has lost more than 20% since its use, and the recovery opinion is fixed if Aave can leave its exposure to rsETH successfully.
A note Kelp DAO vulnerability wipes out $1 billion and pushes DeFi to new lows appeared for the first time Cryptonews Arabic.
