A major decentralized finance incident on April 18, 2026, exposed a critical weakness outside smart contracts after attackers extracted 116,500 rsETH, valued at roughly $292 million, from KelpDAO. The operation has been attributed to Lazarus Group and stands among the largest DeFi breaches this year.

Security expert Oleg Bondar provided a detailed reconstruction of the incident, which shows that core contracts across LayerZero and Aave executed exactly as designed. The failure occurred at the infrastructure level, not in contract logic.

Attack bypasses smart contract vulnerabilities

Unlike common exploits that rely on reentrancy or oracle manipulation, this incident followed a different path. The attacker targeted the cross-chain verification process that supports rsETH transfers across multiple networks.

Bondar’s analysis highlights a critical configuration choice: a single verifier setup within LayerZero’s Decentralized Verifier Network (DVN). This design created a single point of failure. The attacker exploited that weakness by manipulating the data source rather than the verification logic itself.

“The smart contracts — KelpDAO’s, LayerZero’s, Aave’s — all behaved exactly as written.”

The attacker compromised two RPC nodes that supplied blockchain data to the verifier. These nodes returned valid data under normal conditions but delivered falsified transaction details when queried by the DVN. At the same time, the attacker launched a denial-of-service attack against healthy RPC endpoints. This forced the system to rely on compromised nodes.

With the verifier relying on poisoned data, the attacker submitted a fraudulent cross-chain message. The system accepted the message as valid. This triggered the release of 116,500 rsETH to an attacker-controlled wallet.

Fake collateral triggers systemic risk

The attacker quickly moved to convert the exploit into usable liquidity. The unbacked rsETH entered Aave as collateral. This enabled the borrowing of approximately $236 million in ETH and WETH.

This action created immediate bad debt within Aave. The protocol responded by freezing rsETH markets. Liquidity conditions worsened across major pools. USDC, USDT, and WETH reserves reached full utilization, which blocked withdrawals.

Bondar describes the scale of the impact clearly:

“Around 80% of the protocol's liquidity had been deposited in fake rsETH as collateral in Aave, the largest lending protocol, borrowing real WETH/ETH and creating significant bad debt.”

The crisis extended beyond a single protocol. Other platforms introduced restrictions to prevent further contagion. Lending markets paused key assets to stop users from exploiting the imbalance.

Arbitrum intervenes to contain damage

A portion of the stolen funds moved to Arbitrum. Network governance intervened through an emergency action. The Arbitrum Security Council froze 30,766 ETH linked to the attacker’s address.

This intervention reduced the attacker’s ability to move funds freely. It also introduced renewed debate about decentralization and emergency controls in blockchain ecosystems.

Structural weaknesses come into focus

The incident highlights a broader issue in DeFi security. Audited smart contracts do not guarantee system safety when external infrastructure remains vulnerable. RPC nodes, which supply blockchain data, became the weakest link in this case.

Bondar’s breakdown also points to a gap between recommended and default configurations. Many protocols adopt default settings without adjustment. In this case, a single verifier model increased systemic risk.

Cross-chain architecture amplified the damage. rsETH exists across more than 20 networks. A failure at the bridge level affected all connected environments at once. This created a rapid cascade across lending and liquidity systems.

Lazarus evolves attack strategies

The timing of the exploit adds further concern. The same group has been linked to another major DeFi incident earlier in April. The two attacks relied on different methods. One targeted human factors, while this one targeted infrastructure.

The pattern suggests rapid iteration in attack design. Defensive measures have not kept pace with this evolution. The gap between protocol complexity and operational security continues to widen.

A new phase of DeFi risk

This exploit marks a shift in how large-scale attacks unfold. Code integrity no longer defines the primary risk. External dependencies, especially cross-chain infrastructure, now play a decisive role.

The incident also demonstrates how quickly liquidity crises can develop. A single exploit created bad debt, froze markets, and disrupted multiple protocols within hours.

As Bondar’s reconstruction shows, the industry faces a different class of threat. The next wave of security improvements must address infrastructure trust, not just contract design.

How to Day Trade Crypto - Strategies, Tools, and Risk Management | HODL FM NEWS
Beginner’s guide to crypto day trading covering strategies, key indicators, risk management rules, and why most traders fail in volatile short-term markets.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketMatvii Diadkov
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.