The April 18, 2026 Kelp DAO protocol exploit, in which attackers created 116,500 unbacked rsETH tokens by poisoning a single LayerZero verification node, resulted in losses exceeding $600 million across the DeFi sector in recent weeks, with cumulative damages across all protocols approaching $1 billion.
The impact of this is now clear thanks to online data; Total value locked (TVL) in the decentralized finance (DeFi) sector has collapsed to its lowest point in twelve months, according to data from DefiLlama, as capital flight through buybacks, lending and cross-chain bridges accelerates.
The fundamental question raised by this incident is not whether the Kelp DAO failed – structurally, it failed – but rather whether a single misconfigured verification node exposed a systemic fragility underlying DeFi’s entire cross-chain architecture.
- Total DeFi losses: Nearly a billion dollars in recent weeks, including more than $600 million directly attributable to the Kelp DAO vulnerability and its infectious effects.
- Kelp DAO exploit size: 116,500 unsupported rsETH tokens – approximately 18% of the circulating supply – were issued via a compromised DVN node at LayerZero; Without breaking smart contracts.
- TVL effect: The total value locked in DeFi hit its lowest level in a year after $13 billion was released within 48 hours of the exploit.
- Protocols concerned: Aave, SparkLend and Fluid platforms froze rsETH markets; The value locked in Aave fell from $26.4 billion to around $18 billion – the largest loss for a single protocol.
- Identification: LayerZero named the North Korean Lazarus Group – specifically the TraderTraitor unit – as a possible culprit; This has not yet been officially confirmed.
- Follow-up items: Kelp DAO’s upcoming forensic report and Aave’s bad debt settlement on tainted rsETH collateral are the two signals that will determine whether the infection will stabilize or worsen.
How a single verification node pumped $600 million into DeFi
The failure was structural rather than fundamental, and this distinction is important for evaluating the rest of cross-chain DeFi infrastructure. Kelp DAO’s rsETH bridge relied on a single Decentralized Verification Network (DVN) node to authenticate LayerZero messages, a 1-on-1 setup that security firm Halborn had warned against in previous alerts.
The attackers, identified by LayerZero as Lazarus’ TraderTraitor group, compromised two RPC nodes providing data to the verifier, launched DDoS attacks against the backup nodes to force the system to migrate to them, and then injected a phishing message that generated 116,500 rsETH without any underlying collateral.
Stolen rsETH tokens moved quickly; Data on the network shows that the attacker traded them for ETH and Arbitrum using loans through Aave, SparkLend and Fluid, with Tornado Cash used to hide gas fees. The malware also deleted itself from compromised RPC nodes after the attack, intentionally erasing criminal records.
Losses piled up quickly as the created rsETH tokens created bad debts in lending markets that accepted rsETH as collateral without adequate verification of its backing, which Halborn described as an “echo chamber” of false messages. Allium, in its post-accident gap analysis, noted that “The tools worked as expected, but not the way they were configured. ».
This is not just a marginal note; This means that the exploitation did not require a zero-day vulnerability, but simply a documented misconfiguration and warned in advance. Single point of failure verification architectures are now a documented attack surface, and Kelp DAO will not be the last protocol to rely on them.
Value locked at one-year low: What does the capital flight data mean?
Total value locked (TVL) in DeFi had already declined in Q1 2026 under macroeconomic pressures, but the Kelp DAO exploit accelerated the decline to a sharp decline. Data from DefiLlama shows a $13 billion exodus from TVL in the 48 hours following the April 18 attack, a pace that surprised protocols like Compound that had no direct exposure to rsETH but were still affected by the infection takedowns.
The loss figures in individual protocols were more pronounced; The value locked in Aave collapsed from $26.4 billion to around $18 billion after the protocol froze rsETH markets, an $8.45 billion drop driven by users seeking to reduce risk before bad debts potentially crystallized from tainted collateral positions.
The Aave risk management team is currently modeling two bad debt scenarios based on the recovery rates of uncollateralized rsETH tokens that were used as collateral for loans before the markets froze.
This contraction of TVL poses two scenarios for the future; If outflows stabilize and Kelp releases a credible forensic report with a compensation mechanism, the current level could prove to be a contained infection. If Aave’s bad debt modeling shows material losses and the LayerZero upgrade timeline extends into the second quarter, expect a second wave of TVL declines as yield seekers abandon replenishment protocols altogether toward less correlated alternatives.
Governance token valuations already view the first scenario as optimistic, as the AAVE token has lost over 20% since the exploit, and the recovery hypothesis rests entirely on whether Aave can exit cleanly from its exposure to rsETH.
The post Kelp DAO Vulnerability Takes $1 Billion, Pushes DeFi to All-Time Lows appeared first on Cryptonews Arabic.
