The Biggest DeFi Hack of 2026: $293 Million Gone in 46 Minutes
On April 18, 2026, KelpDAO suffered what is now confirmed as the largest decentralized finance exploit of the year - a targeted attack on its LayerZero-powered cross-chain bridge that drained approximately 116,500 rsETH, valued at around $292 to $293 million at the time of the incident.
Key Takeaways
- KelpDAO lost roughly $293 million in rsETH on April 18.
- The attacker minted unbacked tokens through a flaw in the cross-chain bridge and immediately used them as collateral on Aave.
- AAVE token dropped up to 14% within hours.
- By mid-April 2026, DeFi losses for the year have already crossed $450 million across roughly 45 protocols.
The attacker, whose initial funding was traced to Tornado Cash, identified and exploited a critical flaw in rsETH’s minting logic. Rather than providing actual collateral, the wallet was able to mint rsETH tokens without backing – effectively printing value out of nothing. The stolen tokens were then deposited into Aave V3 and V4, where they were used as collateral to borrow a substantial volume of WETH. By the time Kelp’s emergency “pauseAll” function was triggered – 46 minutes after the first successful drain – the protocol had already lost the bulk of its funds. Two subsequent attempts by the same attacker to drain an additional $100 million were blocked by that pause mechanism, but the damage from the initial transaction had already settled across the ecosystem.
The Fallout for Aave and the Broader Market
Aave’s exposure to the unbacked collateral left the lending protocol carrying an estimated $177 to $196 million in bad debt – a figure significant enough to activate conversation around its Umbrella safety module, which holds approximately $50 million and is expected to be used to partially cover the deficit. WETH suppliers on Aave have been warned they may face a haircut on their deposits, meaning the losses will not be absorbed entirely by the protocol’s treasury. The AAVE token itself dropped 14% in the hours following the news. rsETH saw trading volume spike by more than 100,000% as holders scrambled to exit positions before further price deterioration.
Other lending platforms reacted quickly. SparkLend, Fluid, and Upshift all froze rsETH markets within hours to prevent further bad debt accumulation, while on-chain investigator ZachXBT identified six wallet addresses linked to the theft that are being monitored for any movement of funds.
Why LRTs as Collateral Carry Serious Risk
The incident has reignited debate around the risk profile of Liquid Restaking Tokens when used as collateral in money markets. rsETH, like similar LRT assets, carries layered complexity – it represents a claim on restaked ETH across multiple validator sets and protocols, making its real-time valuation harder to verify under stress. When that complexity meets a minting flaw in a bridge contract, the result is precisely what happened on April 18: a cascade from a single exploit point into bad debt across multiple platforms.
A Brutal Year for DeFi Security
This attack did not happen in a vacuum. By mid-April 2026, cumulative losses across the DeFi sector have reached between $450 and $482 million, spread across approximately 44 to 45 protocols. The KelpDAO incident is the largest single event, but it follows a string of significant breaches that started almost immediately in January.
The Drift Protocol hack on April 1 cost the Solana-based perpetual futures exchange $285 million. In that case, attackers used social engineering to manipulate Security Council members into pre-signing transactions using Solana’s durable nonces feature, gaining admin control and withdrawing real assets including USDC and SOL within 12 minutes. In March, Resolv Labs lost $80 million after an attacker deposited roughly $200,000 and exploited a flaw in the completeSwap() function to mint $80 million in unbacked USR stablecoins – a move that sent the token’s peg down 74%. Step Finance lost between $27.3 and $40 million in early February following a private key compromise that gave attackers access to unstake and withdraw approximately 261,854 SOL, with the team subsequently announcing the shutdown of the core platform. Truebit lost $26.2 million in January through an integer overflow vulnerability that allowed attackers to manipulate the minting and burning of TRU tokens.
Infrastructure Is the New Target
What these incidents collectively point to is a structural shift in how DeFi is being attacked. Pure smart contract code exploits are no longer the dominant vector. Infrastructure-level attacks – private key theft, social engineering, and compromised frontends – accounted for approximately 76% of losses in early 2026. The Axios supply chain attack, where malicious versions of the widely-used npm package were published with hidden malware for system reconnaissance, illustrated how far outside the on-chain environment these threats have moved. AI-assisted phishing and so-called pig butchering scams have also scaled sharply, with some estimates pointing to a 500% increase in AI-enabled fraudulent outreach compared to the same period in 2025.
For KelpDAO specifically, the path forward will depend on whether the protocol can establish a credible recovery plan for affected rsETH holders and how Aave structures the absorption of its bad debt. Neither question has a clean answer yet.
The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.
Alex is an experienced financial journalist and cryptocurrency enthusiast. With over 8 years of experience covering the crypto, blockchain, and fintech industries, he is well-versed in the complex and ever-evolving world of digital assets. His insightful and thought-provoking articles provide readers with a clear picture of the latest developments and trends in the market. His approach allows him to break down complex ideas into accessible and in-depth content. Follow his publications to stay up to date with the most important trends and topics.
