The KelpDAO exploit that drained $293 million of ether-denominated restaking collateral on 18 April has been picked apart in a detailed technical postmortem from Coin Bureau, with host Guy arguing the loss was not an isolated protocol failure but a warning shot about the infrastructure that much of cross-chain decentralised finance runs on.
"On the 18th of April 2026, at approximately 17:35 UTC, an attacker called a single function on a LayerZero contract and walked away with 116,500 rsETH worth approximately $293 million from KelpDAO, making this the largest DeFi exploit of the year so far," Guy explained.
The aftermath was brutal. The stolen collateral was rehypothecated into borrowing positions against Aave, Compound and Euler within minutes, pulling roughly a quarter of a billion dollars in clean ether out of lending markets. Within hours, more than $6 billion had fled Aave, withdrawals were frozen across multiple front ends, and more than $10 billion had evaporated from DeFi's total value locked.
Coin Bureau's postmortem focuses on the mechanism rather than the numbers. KelpDAO is a liquid restaking protocol built on top of EigenLayer. Its flagship token, rsETH, represents ether that has been deposited, staked on Ethereum, and then restaked across additional services to generate layered yield. By late 2024, liquid restaking tokens had become one of the most aggressive yield primitives in DeFi. By the time of the April exploit, the drained 116,500 rsETH represented around 18% of the entire circulating supply.
That supply was supposed to be backed one-for-one by actual ether held in the protocol's reserves. The mechanism that moved rsETH between Ethereum mainnet and other chains such as Unichain was a LayerZero omnichain fungible token adapter — the OFT standard — secured by a so-called Decentralised Verifier Network, or DVN.
"The integrity of that bridge depends entirely on a component called the Decentralized Verifier Network, or DVN," Guy said.
In LayerZero's design, a DVN is a set of independent nodes that attest cross-chain messages before they are executed on the destination chain. A well-configured DVN should require multiple verifiers with independent trust assumptions to sign off on any bridge movement. What KelpDAO had deployed, according to Coin Bureau's reconstruction, was a far weaker configuration — effectively a single verifier acting as the sole attestor. When that verifier's signing key was compromised, the attacker could mint rsETH on a secondary chain without any corresponding ether ever being locked on the mainnet.
The attack was not an Ethereum smart-contract bug. It was not a vulnerability in LayerZero's core code. It was a configuration choice at the protocol level that reduced a theoretically-decentralised bridge to a single point of failure. Once the key was obtained, the exploit took one function call.
The implications extend well beyond KelpDAO. Coin Bureau's analysis suggests that similar DVN configurations remain live across other LayerZero integrations — including mid-sized protocols whose security teams may not have audited the verifier setup as rigorously as the headline contracts they launched with. Any OFT-based bridge where the DVN collapses to a single external attestor carries structurally the same risk.
For retail holders of liquid restaking tokens, the practical takeaway is to check not only the underlying protocol's smart-contract audits but also the bridge topology of each chain the token trades on. A safe rsETH on Ethereum can become a worthless IOU on another chain if the DVN on that chain has been compromised.
The broader message is that DeFi's push into layered yield — staking, restaking, liquid restaking, and cross-chain wrapping of those positions — has outpaced the auditing culture that should accompany it. Each additional primitive adds assumed-trust components that most users cannot easily see. The KelpDAO exploit forced that invisible assumption into the open, and Coin Bureau's postmortem makes clear that the architecture that enabled it is still widely in production.