The KelpDAO bridge exploit on 18 April 2026 was 2026's largest DeFi hack at $292 million — not a smart contract bug, but a compromised off-chain verifier. Here's how it happened and what UK DeFi investors should take from it.
Important Risk Warning
This is not financial advice. Cryptocurrency investments are highly volatile. The value of your investment can go down as well as up, and you could lose all the money you invest. Don't invest unless you're prepared to lose all the money you put in.
London — On 18 April 2026, attackers stole approximately $292 million worth of restaked Ethereum from KelpDAO's cross-chain bridge, making it the largest DeFi exploit of 2026. What made this attack particularly instructive — and unsettling — was the method. There was no smart contract bug. No flash loan. The attacker didn't find a vulnerability in the code. They compromised the infrastructure sitting behind the bridge's verification system and tricked it into signing off on transactions that should never have been approved.
For UK investors using DeFi, the KelpDAO hack is a case study in a category of risk that's easy to underestimate.
KelpDAO runs rsETH — a restaked ether token that allows users to earn yield across multiple protocols simultaneously. To enable rsETH to exist across more than twenty blockchain networks, KelpDAO used LayerZero's bridge infrastructure, which relies on a Decentralized Verifier Network (DVN) to confirm that cross-chain messages are legitimate.
Here's the critical configuration choice that made the exploit possible: KelpDAO was running a 1-of-1 verifier setup. A single DVN node was responsible for validating cross-chain messages before funds were released. One node. No redundancy, no majority vote, no threshold signature requiring multiple parties to agree.
The attackers — linked by Chainalysis to North Korea's Lazarus Group — compromised the RPC nodes that this single DVN relied on to observe blockchain state. Once they had control of those nodes, they fed the verifier false information: specifically, that 116,500 rsETH had been locked on the source chain when no such transaction had occurred. The verifier, seeing what appeared to be valid data from its trusted RPC sources, attested to the fabricated message. Funds were released.
The result: 116,500 rsETH (roughly 116,500 units of restaked ether) moved to attacker-controlled addresses, before being exchanged for ETH and funnelled through mixing services.
Because rsETH existed as bridge-backed tokens on more than twenty networks, the exploit immediately raised questions about whether rsETH held on those networks still had real backing. The answer was: not fully. This triggered a wave of emergency responses from protocols that had accepted rsETH as collateral.
Aave, SparkLend, and Fluid — three of the larger DeFi lending platforms — froze rsETH markets. At the time of the exploit, 89,567 rsETH had been deposited on Aave as collateral to borrow roughly $190 million in WETH. If rsETH was no longer fully backed, that WETH was now under-collateralised. Protocol governance votes convened within hours to freeze positions and protect other depositors.
The broader DeFi ecosystem absorbed the shock without a systemic meltdown, partly because the freeze mechanisms worked as intended and partly because rsETH's total supply was large enough that partial unbacking didn't render it worthless overnight. But the event exposed the interconnectedness of DeFi lending markets in ways that have implications beyond KelpDAO.
The Ronin bridge hack in 2022 ($625 million), the Wormhole hack in 2022 ($320 million), the Nomad bridge hack ($190 million) — bridge exploits have been the single most expensive category of DeFi security failure over the past four years. KelpDAO extends that pattern into 2026.
The consistent thread is that bridge security is only as strong as its weakest component, and that component is often not the smart contract — it's the validators, relayers, or verifier nodes that run off-chain and make trust decisions about what the smart contract then executes. A 1-of-1 validator configuration is the single point of failure version of this risk, and KelpDAO's post-mortem has prompted LayerZero to publicly tighten its recommendations about minimum verifier configurations for protocols handling significant value.
The practical implications for UK users who interact with DeFi across multiple chains are straightforward, if uncomfortable.
Understand what backs your tokens. rsETH on an L2 was always backed by a bridge. If you're holding yield-bearing or restaked tokens on non-native chains, know which bridge infrastructure is involved and what the verifier configuration looks like. This information is almost always in the protocol's documentation and audits.
Diversify bridge exposure. Concentrating restaked assets in protocols that rely on a single bridge infrastructure creates correlation risk. When that bridge fails, everything relying on it moves together.
For the UK regulatory context: the FCA has noted bridge infrastructure as a systemic risk in its discussion papers on DeFi regulation. Whether bridge security standards will be part of the incoming FSMA crypto authorisation requirements remains to be seen — but the KelpDAO incident will almost certainly feature in whatever technical standards consultation the FCA runs on DeFi.
The $292 million figure is the headline. The underlying lesson is quieter and more durable: in DeFi, risk often lives in the infrastructure you can't see, not the code you can audit.
Journalism
We use cookies to enhance your experience. By clicking "Accept", you agree to our use of cookies for analytics. See our Privacy Policy.
