On April 18, 2026, attackers drained $292 million from a crypto protocol most people outside DeFi had never heard of. By the next morning, nearly $9 billion had been pulled from Aave — the largest lender on Ethereum. Bloomberg called it one of the biggest outflow events of the year.
Here is what actually happened, in plain English.
The setup
A protocol called Kelp DAO issues a token called rsETH. Think of rsETH as a receipt: you give Kelp your ETH, Kelp gives you back rsETH that earns yield and can be used as collateral to borrow on other platforms like Aave.
The clever part is that rsETH lives on multiple blockchains. To move it between them, Kelp uses a "bridge" built on top of LayerZero. A bridge is supposed to lock tokens on chain A and mint equivalents on chain B. Destroy them on B and the originals unlock on A. Mint-and-burn, one-for-one. That one-for-one invariant is the entire reason a bridged token is worth anything.
The break
On April 18, the attacker convinced Kelp's LayerZero bridge to release 116,500 rsETH — roughly 18% of the entire supply — without a matching lock on the source chain. In effect, the bridge minted tokens out of thin air. The attacker then swapped and off-ramped, converting inflated rsETH into real assets before the market could react.
The contagion
Here is the part that made Bloomberg's headline, and the part nobody should miss.
Aave accepted rsETH as collateral for loans. The moment the attacker could print rsETH at will, every loan on Aave backed by rsETH was potentially undercollateralized — because the market price of rsETH was about to collapse from sudden supply inflation. Aave froze the rsETH markets within hours, but the signal had already traveled through the market: if the collateral can be printed, the lender is holding nothing.
Users rushed to pull their deposits out of Aave before anyone else's collateral turned out to be compromised. The result: roughly $9 billion in outflows, a 10% drop in the AAVE token, and a week of headlines about "DeFi contagion."
This is not a Kelp DAO story. This is a DeFi-lender story. The same pattern lives in every protocol that accepts bridged, wrapped, or yield-bearing tokens as collateral — and that is most of them.
The lesson nobody seems to learn
Bridges are the weakest link in DeFi, and it keeps happening because the industry treats them as plumbing. They are not plumbing. When a collateral token is minted by a bridge, the bridge is the collateral. Every audit, every protection, every risk model a lender like Aave runs becomes meaningless if the supply of the underlying token can be inflated at will.
Aave did nothing wrong on April 18. Aave's code was fine. Aave's risk parameters were fine. The vulnerability was one layer below Aave, in a piece of cross-chain infrastructure Aave doesn't own and can't audit. And that is the actual reason $9 billion left the protocol — because sophisticated users realized that the next rsETH-shaped accident could be any of a dozen wrapper tokens sitting on Aave's collateral list, and none of them are truly safe until every bridge they depend on is.
What this means if you hold any of these tokens
If you hold a yield-bearing wrapper — rsETH, stETH, ezETH, LBTC, weETH, rETH, or any of the dozens of others — you are exposed to the security of the issuer's bridge, not just the underlying asset.
Most holders have no idea:
- Which bridge their token depends on
- When that bridge was last audited
- Whether their wallet has ever touched a contract that was later compromised
- Whether the DeFi pool they provided liquidity to is currently at risk
That opacity is the real problem. The Kelp exploit was executed in a single afternoon. The users who got out clean were the ones with visibility. The users who got stuck holding inflated rsETH were the ones flying blind.
Check your exposure before the next one
ThreatChain tracks every major bridge exploit, every compromised contract, and every wallet that interacted with a contaminated address — in real time. If you hold any wrapped or yield-bearing token, take 30 seconds and run a free wallet exposure check at https://threatchain.io. You will see, for any address you enter:
- Every protocol your wallet has interacted with
- Which of those protocols have known vulnerabilities or active exploits
- Whether any of your counterparties were linked to compromised addresses
- A real-time risk score you can act on
The Kelp DAO attack took one afternoon to execute and triggered $9 billion in outflows inside 24 hours. The next one will be faster. Don't find out your collateral is compromised by watching the headlines.
Run the free check at https://threatchain.io — before the next $9 billion panic.
Top comments (0)