DeFi Crisis Deepens: Kelp DAO Exploit Triggers $600M+ Losses, TVL Plummets to One-Year Low

A critical warning is flashing across decentralized finance as systemic vulnerabilities exposed by the Kelp DAO exploit have catalyzed over $600 million in sector-wide losses, pushing total value locked to a 12-month low. The April 18 attack, where attackers minted 116,500 unbacked rsETH by compromising a single LayerZero verifier node, has triggered a 10% capital flight correction across restaking, lending, and bridge protocols, with cumulative damages nearing $1 billion. This incident reveals not just a protocol failure, but a foundational fragility within the cross-chain DeFi stack that now threatens broader market stability.

How a Single Verifier Node Took Down $600M in DeFi

The failure was architectural, not foundational, and that distinction matters for how you assess the rest of DeFi’s cross-chain infrastructure. Kelp DAO’s rsETH bridge relied on a single Decentralized Verifier Network node to authenticate LayerZero messages, a 1-of-1 configuration that security firm Halborn had flagged in prior warnings.

The attackers, identified by LayerZero as Lazarus Group’s TraderTraitor subgroup, compromised two RPC nodes feeding data to that verifier, launched DDoS attacks against backup nodes to force failover, then injected a fraudulent message that minted 116,500 rsETH against zero underlying collateral.

The stolen rsETH moved quickly. On-chain data shows the attacker swapped into ETH and Arbitrum using loans across Aave, SparkLend, and Fluid, with Tornado Cash deployed for gas fee obfuscation. Malware self-deleted from the compromised RPCs post-attack, deliberately erasing forensic logs. For more on how LayerZero’s investigation attributed the attack, the mechanics of the RPC poisoning sequence are documented in detail.

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.

We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.

We will keep you…

Losses aggregated fast. The 116,500 minted rsETH seeded bad debt across lending markets that had accepted rsETH as collateral without adequate verification of its backing, an “echo chamber” for forged messages, as Halborn described it. Allium, analyzing the verification gap post-incident, noted that “the tools worked as designed. The way they were configured did not.”

That’s not a minor footnote: it means the exploit required no zero-day vulnerability, just a misconfiguration that was documented and warned about in advance.

Single-point-of-failure verifier architectures are now a documented attack surface, and Kelp DAO won’t be the last protocol running one.

TVL at a One-Year Low: What the Capital Flight Data Actually Signals

DeFi’s aggregate TVL had already been compressing through Q1 2026 under macro pressure, but the Kelp DAO exploit accelerated the drawdown into a vertical drop.

DefiLlama data shows a $13 billion TVL exodus within the 48 hours following the April 18 attack, a pace that blindsided protocols like Compound that had no direct rsETH exposure but caught contagion withdrawals anyway.

The single-protocol casualty numbers are starker. Aave’s TVL collapsed from $26.4 billion to approximately $18 billion after the protocol froze rsETH markets, a $8.45 billion drawdown driven by users de-risking ahead of potential bad debt crystallization from tainted collateral positions.

Money is leaving DeFi at an unprecedented scale pic.twitter.com/bZ3m40wfs4

Aave’s risk team is now modeling two bad debt scenarios depending on recovery rates for the unbacked rsETH that was used as loan collateral before markets were frozen.

The TVL compression sets up two distinct forward scenarios. If outflows stabilize and Kelp publishes a credible forensic report with a compensation mechanism, the current level may prove to be localized contagion, ugly but bounded. If Aave’s bad debt modeling surfaces material losses and LayerZero’s multi-DVN upgrade timeline extends past Q2, expect a second leg of TVL decline as yield seekers rotate entirely out of restaking protocols into less interconnected alternatives.

Governance token valuations are already pricing the first scenario as optimistic, AAVE has shed over 20% since the exploit, and the recovery thesis depends entirely on whether Aave can close its rsETH exposure cleanly.