At 1:35 AM on April 19, 2026, Eastern Eight Time, the rsETH cross-chain bridge of Kelp DAO based on LayerZero was locked down by an attacker. Within just a few dozen minutes,116,500 rsETH were drained from the cross-chain bridge, estimated to be approximately$292 million at the time of the incident. This figure accounted for18% of the total circulating amount of rsETH, instantly breaking the psychological defense line of the market regarding the security of this LSD asset, and multi-chain DeFi protocols set off alarm bells. On the surface, the incident was the result of a contract call exploitation, but the deeper conflict was that the fragile cross-chain bridge was becoming a single point of failure for the entire chain ecosystem, with LayerZero, once considered a "safer" cross-chain foundation, facing a trust crisis in this incident.

46 Minutes Breached: rsETH Cross-Chain Bridge Defense Collapses

According to the public timeline, the attack officially began at 1:35 AM on April 19, with the attacker launching continuous operations targeting Kelp DAO’s LayerZero rsETH cross-chain bridge. From the first malicious transaction appearing to the triggering of the project's emergency pause mechanism, only about46 minutes elapsed. In the time dimension of the blockchain world, this means that the defense line "collapsed before being discovered," leaving an extremely limited response window for monitoring and risk control systems.

Known facts show that the core technique of the attack revolved around the`lzReceive` function of the LayerZero Endpoint V2 contract. The attacker did not directly pry open Kelp DAO’s business contract but rather exploited the cross-chain message transmission entrance to manipulate the message reception and processing stages, maliciously calling upon the bridge to have "complete faith" in abnormal messages, thereby withdrawing rsETH from the bridge. As the official party has yet to disclose more detailed technical fields and implementation specifics, the outside world can currently only confirm the key position of `lzReceive` in the attack path, without being able to accurately replay every operation step.

From the scale of the incident, the loss data of116,500 rsETH, approximately $292 million currently comes from a single statistical source, but it is enough to shake the industry; some institutions have directly rated it as "one of the largest DeFi attacks of 2026 so far." This characterization itself highlights the consensus in the market regarding the magnitude of this incident—it is not merely a minor accident on a niche chain, but a significant black swan event that can make it into the annual security history. It should be emphasized that, in the absence of multi-source cross-validation, this amount and valuation still carry certain boundaries of uncertainty, but in terms of its占流通总量18% proportion, the impact on the foundational basis of the rsETH ecosystem needs no further embellishment.

Aave Unscathed but Shaken: How Firewalls Prevented a Chain Reaction

From the contract perspective, this attack did not directly involve the underlying code of leading lending protocols likeAave, and Aave's official statement clearly indicated that "Aave contracts themselves were not exploited." However, in actual operational structure, rsETH is already deeply embedded in protocols' collateral and liquidity pools like Aave. The incident with the cross-chain bridge quickly unraveled the security assumption of a key collateral asset. To prevent risks from spreading through collateral and liquidation pathways to broader assets, Aave was forced to quickly freeze markets related to rsETH and cut off potential contagion chains.

Similar reactions were not isolated. After the attack was confirmed and public opinion began to spread, protocols likeSparkLend and Fluid, which integrated rsETH or its derivative liquidity, almost simultaneously took preventive actions such asfreezing, pausing, and restricting interactions: some directly disabled rsETH-related lending markets, while others temporarily raised collateral discounts or closed new position entrances. The on-chain manifestation was a series of emergency parameter modifications and administrator calls, while offline it involved teams and risk groups in high-pressure communications across time zones—at that moment, “multi-protocol emergency linkage” transformed from a concept into a real pressure test scenario.

The market's pricing of risk transmission also rapidly reflected this on the charts. Following the incident, the governance tokenAAVE’s price fell by about 10% temporarily; even though Aave itself was not a direct victim, it still faced selling pressure in terms of sentiment and expectations. This decline reflected investors re-evaluating the “externality risk posed by integrating third-party assets”: even if the underlying code is secure, as long as the collateral ecosystem has vulnerabilities, the protocol’s value and token price become difficult to maintain.

As a result, the multi-protocol linkage freeze somewhat curtailedsystematic crashing: there was no large-scale liquidation crash or waterfall in mainstream asset prices, which indicates that DeFi has preliminarily established a consensus mechanism of "shutting the valve before something goes wrong" following the previous round of security incidents. However, deficiencies are also evident—the emergency response relies heavily on teams quickly aligning via social channels and private chats, lacking standardized processes and automated circuit breaker logic. Each major incident is still dependent on person-to-person communications for fallback, and this "temporary group chat self-rescue" remains a significant gap from realizing a truly systemic risk management approach.

LayerZero Trust Wavering: The Myth of Safer Cross-Chain Shattered

The technical entry point of this attack directly points to theLayerZero tech stack. At the beginning of the story, LayerZero is often packaged as a “next-generation cross-chain infrastructure”: reducing single-point risks of multi-signature bridges and simple lock-up bridges through message transmission and oracle combinations, creating an overall impression of being “better structured and therefore safer.” However, the April 19 attack coldly reminded the industry—no matter how the narrative evolves,cross-chain bridges remain one of the most fragile weak links in DeFi.

On the factual level, the attacker exploited the `lzReceive` function path in the LayerZero Endpoint V2 contract to carry out the attack. This means the problem does not lie at the edge integration level but has deeply penetrated into the "central nervous system" of cross-chain message processing. For protocols and investors that have long viewed LayerZero as “more trusted infrastructure,” this contrast constitutes a trust reassessment: the so-called “safer” is ultimately a theoretical advantage in architectural design or an empirical conclusion verified through multiple incidents? This event clearly leans more towards the former.

What is even more concerning is that the breach of the V2 contract exposed thesystemic risk in cross-chain messaging and permission designs. Cross-chain protocols often need to balance “composability” and “least privilege”; if there are flaws in the message processing logic regarding permission verification, replay protection, and state consistency, attackers can potentially exploit a single message to manipulate multi-chain states and achieve a logically “cross-domain flash loan”-like attack. Although this incident has not disclosed more specific technical fields, it suffices to explain that cross-chain bridge issues are never just about the security of signatures or custody forms, but rather a governance challenge of the entire message lifecycle.

In this context, the boundaries ofsecurity audits have also been brought to the forefront again. Many protocols tout "being audited by multiple firms" as a selling point, but audits are essentially passive scans based onknown patterns and limited time windows, making it hard to cover all interaction paths in complex composite scenarios, let alone simulate an attacker’s creative explorations driven by real economic incentives. In this incident, regardless of how many audits LayerZero or Kelp DAO had previously undergone, they could not prevent the attack from completing its closed loop within 46 minutes, indicating that ongoing defenses, real-time monitoring, and emergency drills in a production environment are still far behind the pace of asset scale expansion.

Two Incidents in One Year: The Trust Rift of rsETH

For Kelp DAO, this is not the first time it has found itself in the spotlight. Research briefs clearly state that this is thesecond security incident related to rsETH within a year. In the security narrative, "repeat victims" often find it harder to gain forgiveness compared to "first-time victims" because it suggests that the risk is not a random collision but rather an inevitable outcome accumulated from systemic weaknesses and governance flaws over time. Consequently, rsETH has been tagged as a "repeat victim," which is not only a pressure on the technical team but also a test for the whole protocol's governance and risk management capabilities.

From the asset structure perspective, the stolen116,500 rsETH accounted for18% of the total circulation. Such a proportion poses multiple blows to rsETH’scollateral rate, liquidity depth, and market discount expectations. On one hand, the drained assets from the bridge cast doubt on the “on-chain credentials—off-chain rights” mapping relationship, leading holders to naturally seek higher risk compensation, reflected in an expanded secondary market discount and a forced downward adjustment in borrowing collateral rates; on the other hand, the supply expectations of rsETH in liquidity pools contracted, causing market makers and arbitrageurs to tighten their positions, further weakening depth and widening spreads and slippage.

More troublesome is that rsETH is not an isolated asset but is widely embedded invarious protocols such as lending and derivatives. On the lending side, rsETH is often used as collateral for leveraged hedging; in derivatives and yield aggregators, it serves as underlying assets for complex strategies. Once the core cross-chain infrastructure fails, all upper-layer protocols must reevaluate their collateral value and liquidation mechanisms, and this “full-stack revaluation” will amplify chain reactions: certain strategies will be forced to liquidate, funds will move to more traditional assets, and overall risk appetite will decline.

In the context of "two incidents in a year," a harsh question emerges: Is there still a condition to repair the trust rift between rsETH and institutions, users? For yield-chasing native DeFi players, perhaps a low enough price and high enough yield can bring about a new cycle; but for institutional funds that place more importance on risk governance and long-term stability, the “frequency of security events” often serves as a hard selection criterion. Once labeled a “high-risk protocol,” re-entering the mainstream asset basket becomes a long and costly process.

From the $290 Million Pit to See the Paradox of Security and Efficiency in DeFi

Viewing this attack as a sample, the struggle between two paths in DeFi development becomes clear: one is to"quickly launch new assets" — integrating LSD and cross-chain yield assets like rsETH quickly to seize narratives and TVL; the other is to"slowly build安全基建"— iteratively refining cross-chain, oracle, and permission management underlying architectures, sacrificing short-term growth for robustness. In reality, most projects choose the former under competitive pressure, treating security construction as a project that can be “fixed while running,” until a $290 million-level hole tears open, forcing them to pay for their previous choices.

Cross-chain bridges, LSDs, and lending protocols all fundamentally chasemaximizing yield and capital efficiency: cross-chain bridges seek to improve asset turnover speed and composability, LSDs aim to release liquidity of staked assets, and lending protocols promote high leverage and utilization rates as selling points. Under this structural incentive, the compression of the system's “safety margin” is almost an inevitable outcome—belonging to more diverse collateral, more complex paths, and higher leverage, the safety redundancies in every link will gradually be squeezed away until any weak point is discovered and magnified by an attacker.

The firefighting process of this event also exposed the industry’s primitive state in risk linkage and circuit breaker mechanisms. Cross-protocol collaboration relies more on ad-hoc communication: teams inform each other about risks on social media or private chats, and then each modifies parameters and pauses functionalities. This “group chat self-rescue” might be feasible in isolated events, but it is challenging to become a replicable standard solution in the face of future potentially larger-scale, higher-frequency attacks. What protocols need arestandardized risk linkage and mandatory circuit breaker mechanisms—for instance, when a particular cross-chain infrastructure enters a high-risk state, downstream integrated protocols can automatically trigger throttling, increase margins, or even one-click freeze related markets, rather than manually pulling the plug repeatedly.

For investors, this $290 million hole signifies a more realistic issue: how should risk premiums be re-priced betweenhigh-yield narratives and recurrent security incidents? In the past, many participants were accustomed to measuring opportunities using APR and TVL, yet seldom priced for the tail risk of “protocol potentially going to zero”; nowadays, each cross-chain or LSD-related black swan is a systemic correction to this pricing logic. What is the probability of asset loss one is willing to bear, is the bottom line question that everyone must confront in exchange for high yields.

Black Swan or Inevitable Explosion: Where Will the Next Cross-Chain Crisis Occur?

Returning to the rsETH cross-chain bridge attack itself, several core issues have clearly emerged. Firstly,cross-chain bridges remain the weakest link in the DeFi ecosystem; regardless of the new architecture used, as long as they bear the functions of multi-chain asset mapping and message routing, the spillover effect after being attacked is very difficult to confine within a single protocol. Secondly,the protective capacity of audits has a natural upper limit: in the face of complex composite scenarios and highly dynamic on-chain interactions, merely conducting a one-time static audit before going live is far from sufficient; ongoing monitoring, attack-defense drills, and emergency plans are decisive variables. Finally, the currentmulti-protocol linkage emergency response remains highly passive, and there remains a significant distance from genuinely realizing “cross-ecosystem risk management.”

From a broader perspective, the DeFi security narrative is evolving from “single protocol offense and defense” to “cross-ecosystem risk management” in a new phase. The focus of past discussions was whether a particular protocol had reentry vulnerabilities or whether oracles were manipulated; now, perspectives must expand to "how many upstream and downstream protocols will be affected if this infrastructure encounters issues” and “how many on-chain asset states a cross-chain message can influence.” This forces regulators, auditing agencies, and infrastructure providers to redefine responsibility boundaries: regulators may focus more on cross-chain bridges and system-critical infrastructure; auditing agencies need to transition from contract reviews to full-stack risk assessments; and infrastructure providers must take on the obligation to educate and warn of risks to integrated protocols within the ecosystem.

For every participant, this incident also provides a simple yet brutal investment principle: when pursuing new narratives and high-yield assets, constantly ask one question—“Will it become the next rsETH?” If you cannot clearly answer: Where is the cross-chain path? What underlying infrastructures does it depend on? Who will back it up if something goes wrong? Is there a standardized circuit breaker and risk control mechanism? Then, no matter how attractive the APR is, this opportunity may just be another ticking time bomb. After the darkest night of the cross-chain bridge, what truly needs to be reassessed may not be the price of a single project, but rather the collective consensus of the entire industry on the boundaries between “safety” and “efficiency.”

Join our community to discuss and become stronger together!
Official Telegram Group: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX Benefit Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Benefit Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。