TL;DR:
- The KelpDAO rsETH bridge suffered an exploit on April 18, resulting in the loss of approximately 116,500 rsETH, valued at around $293 million.
- David Schwartz, Ripple’s CTO, linked the attack to weak security configurations (1-of-1 model) chosen for operational convenience over available robust protections.
- Justin Sun, founder of Tron, publicly appealed to the hacker to negotiate a deal, arguing the impossibility of spending such a massive sum in a tracked environment.
Following the largest exploit of 2026, the liquid restaking protocol KelpDAO is going through a deep crisis, losing over $293 million due to a vulnerability in its bridge with LayerZero. The event triggered a chain reaction, forcing Aave to freeze markets after accumulating bad debt, while prominent industry figures like David Schwartz and Justin Sun intervene publicly.
I evaluated a lot of DeFi bridging systems for use by RLUSD. I was almost exclusively focused on the security and risk aspect. One thing I noticed is that most schemes were very well designed and had really strong mechanisms available to protect against exactly the type of attackā¦
— David 'JoelKatz' Schwartz (@JoelKatz) April 20, 2026
Technically, the attack exploited a “one-of-one” verification configuration in the bridge, a single point of failure that allowed the validation of forged messages. Before the freeze, the attacker used the stolen rsETH as collateral in Aave v3 to take massive loans in wETH, raising systemic risks. Currently, KelpDAO’s TVL, which was around $1.5 billion, and Aave’s markets are under severe pressure.
Security Failures and Calls for Negotiation
Ripple’s CTO, David Schwartz, strongly criticized the infrastructure decisions, suggesting that KelpDAO prioritized ease of deployment and rapid expansion over security by not using key LayerZero features. Schwartz, who evaluates systems for the RLUSD stablecoin, emphasized that the problem is often not a lack of security tools, but the promotion of simplified configurations that reduce operational costs but dramatically increase risks.
At the same time, Justin Sun attempted diplomacy through his X account. The executive urged the hacker to reach an agreement with KelpDAO and thus avoid collateral damage to the platform and Aave, reminding them of the practical difficulties of laundering $300 million today. Meanwhile, KelpDAO suspended all its multisig governance functions, oracles, and token operations on the mainnet and Layer-2.
OK ā Kelpdao hacker, how much you want? Letās just talk. With KelpDAOās help, of course. Itās simply not worth it to sacrifice both Aave and KelpDAO and let them go down over this hack. You canāt spend $300 million anyway.
— H.E. Justin Sun šØāš š (@justinsuntron) April 19, 2026
In the midst of this crisis, the crypto community is intensely debating responsibility in the design of secure bridges, with emerging suspicions that the attack could have been an inside job given a prior warning about the security flaw 15 months earlier. The KelpDAO exploit underscores the persistent risks in cross-chain infrastructure and the tension between rapid growth and robust security in DeFi.
