Kelp DAO was the first domino. Aave was the second.
Last weekend, an attacker drained 116,500 rsETH, worth about $292 million, from Kelp DAO's LayerZero-powered bridge. It's the biggest DeFi exploit of 2026 so far. The hit didn't stay inside
Kelp. The stolen funds moved straight into Aave, triggered a liquidity crisis, and wiped roughly $8 billion off one of DeFi's biggest lending platforms.
Kelp's bridge used a single-signer design to approve cross-chain transactions. The attacker poisoned two RPC nodes, ran a DDoS attack on the validation layer, and got a fraudulent message signed that authorized the minting of hundreds of millions in rsETH.
One signature. One validator. A design flaw that's been flagged for years. Kelp is pointing at a LayerZero breach as the root cause. On-chain analysts are tying the attacker's behavior to North Korea's Lazarus Group.
The attacker didn't just walk away with rsETH. They deposited it into Aave V3 as collateral. Then they borrowed wrapped ETH and staked ETH against it and moved those assets out the door.
That move spooked every big depositor on Aave. Users started pulling funds, worried that more bad collateral was sitting in the protocol. Roughly $8 billion walked in less than 48 hours. The AAVE token dropped 20% on the day.
Think of it like a bank running on good collateral until a suspect check clears into the vault. The moment depositors see it, they don't wait for the audit.
Arbitrum froze over $71 million in ETH tied to the attacker's addresses. Kelp has been trying to coordinate with LayerZero, but the two are trading blame publicly. Funds are now stranded across 20 chains.
This is the first real stress test for Aave's post-Ethereum lending engine. So far, the protocol itself is solvent. The confidence hit is another story.
A bridge in crypto is the piece of software that moves a token from one chain to another. You lock the token on chain A, the bridge signs off, and a copy of the token shows up on chain B. LayerZero is one of the biggest providers of that plumbing, and Kelp's rsETH moved through it.
The weak point is the "signs off" step. If only one signer approves the cross-chain message, anyone who compromises that signer can mint fake tokens on the other side. That's what happened here.
Ronin lost $625 million in 2022 on a similar single-signer design. Wormhole lost $320 million the same way. Multi-sig validation, where multiple independent signers have to agree before a
bridge message clears, is the fix that's been sitting on the table for years. Kelp hadn't implemented it yet.
Bridges have been the weak spot in DeFi for years. Ronin lost $625 million in 2022. Wormhole lost $320 million. Kelp's hit is in the same range.
The lesson is the same one every time. Multi-sig validation or it's not safe. Kelp had one signer. It's down $292 million.
