Kelp DAO's $290M Exploit Highlights Systemic Risks for NFT Wallets in DeFi
On April 18, 2026, Kelp DAO, a liquid restaking protocol operating on Ethereum, suffered an exploit that resulted in damages estimated at around $290 million. The breach, associated with vulnerabilities in its LayerZero cross-chain system, prompted the suspension of rsETH contracts across both mainnet and Layer 2 networks. LayerZero pinpointed the problem to KelpDAO's "1-of-1 DVN" model, which introduced a critical single point of failure. The attack exploited RPC infrastructure to validate fraudulent transactions. Following the incident, the AAVE token plummeted by 17%, dropping from $111 to $92, while Aave's Total Value Locked decreased from $26.3 billion to $17.9 billion. The overall DeFi TVL fell from $99.4 billion to $86.2 billion. Kelp DAO and LayerZero are collaborating with auditors for a thorough investigation.
Key facts
- Kelp DAO was exploited for approximately $290 million on April 18, 2026.
- The exploit was related to security configurations in the cross-chain system using LayerZero.
- Kelp DAO paused rsETH contracts on mainnet and multiple Layer 2 networks.
- LayerZero confirmed the exploit stemmed from KelpDAO's "1-of-1 DVN" model implementation.
- The AAVE token dropped about 17% following the incident.
- Aave's Total Value Locked (TVL) fell from about $26.3 billion to $17.9 billion.
- Total DeFi TVL dropped from approximately $99.4 billion to $86.2 billion.
- NFT wallets face indirect risks due to interconnected DeFi activities and shared collateral positions.
Entities
Institutions
- Kelp DAO
- LayerZero
- Aave
- DefiLlama
- Revoke.cash
- NFT Plazas