News
2026's Biggest DeFi Loss: ~$292M Drained From KelpDAO's Bridge — and the Lesson
Bottom line: a bridge became 2026's biggest loss
On April 18, 2026, attackers drained about $292 million (116,500 rsETH) from a cross-chain bridge used by the liquid-staking project KelpDAO (which relied on LayerZero for cross-chain messaging). It is described as 2026's largest DeFi exploit so far.
Key points
- Loss of ~$292M (116,500 rsETH), 2026's biggest DeFi exploit
- Not a smart-contract bug — a single-verifier setup plus compromised off-chain infrastructure
- Attributed (as reported) to the North Korea-linked Lazarus Group
- Lesson: bridges concentrate assets, so they are prime targets
What happened
A bridge "moves" value from one chain to another. Its safety hinges on who verifies that funds were really locked on the source chain.
Here, the verification network (a DVN) relied on effectively one verifier (a 1-of-1 setup). Attackers reportedly compromised the nodes (RPCs) that verifier trusted and got it to attest to a fabricated message, making the system believe a large amount of rsETH had been locked when it had not. So this was a failure of operational configuration and infrastructure, not a contract bug.
Why it matters (the beginner lesson)
Bridges are often the weak knot
Bridges pool a lot of value, so their verification is a target. After the incident, LayerZero reportedly stopped offering 1-of-1 setups and is moving defaults to multi-verifier (e.g. 5/5, and no less than 3/3).
For everyday users the takeaways are simple: (1) avoid unnecessary bridging, (2) if you must, check the bridge's track record and whether it uses multi-party verification, (3) don't move large sums at once. See also bridge risk and smart-contract risk.
FAQ
Q. Was my money at risk? A. Direct losses centred on that bridge's users and assets. But "bridges are a weak point" is a lesson for everyone.
Q. Was it a smart-contract bug? A. As reported, no — it stemmed from a single-verifier configuration and compromised off-chain infrastructure.
Sources
- 2026's biggest crypto exploit: Kelp DAO hit for $292 million (CoinDesk, 2026-04-19): https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains
- Inside the KelpDAO Bridge Exploit (Chainalysis): https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/
- LayerZero says it 'made a mistake' in $292M Kelp exploit (CoinDesk, 2026-05-09): https://www.coindesk.com/tech/2026/05/09/layerzero-says-it-made-a-mistake-in-usd292-million-kelp-exploit
Not financial advice
This reflects publicly reported information as of June 2026 and is not investment advice. Rules, company moves and prices can change — confirm the latest with official sources.
This article is informational only and is not financial, investment, or trading advice. Prices are reference snapshots and may be outdated. Always do your own research.