Kelp DAO hack wipes $292 M, highlights DeFi security gaps

The $292 million Kelp DAO exploit on April 18 2026 forced the DeFi sector to confront its weakest links just as Wall Street firms such as Apollo Global Management and BlackRock deepen on‑chain exposure【1】.

How the attack unfolded

The attacker targeted Kelp DAO’s liquid restaking token, rsETH, by exploiting a misconfigured LayerZero bridge setting. By minting 116,500 rsETH without collateral, the hacker used the fake tokens to borrow roughly $230 M from the Aave lending platform before the breach was detected【3】. CoinGecko’s analysis notes that nearly half of all active LayerZero‑powered applications remain vulnerable, putting more than $4.5 B of market value at immediate risk【3】.

Industry reaction and the push for stronger safeguards

The breach coincided with Apollo Global Management’s partnership with Morpho to support lending markets and BlackRock’s tokenized money‑market fund debut on Uniswap, underscoring the growing institutional appetite for on‑chain finance【1】. Security specialists argue that DeFi’s “zero‑trust” architecture must become baseline, not optional, with tighter multi‑signature controls, timelocks on governance actions, and robust collateral frameworks【1】.

What to watch

• LayerZero bridge updates – monitor announcements from the LayerZero team for patches that could reduce the $4.5 B exposure.
• Aave borrowing limits – watch for changes to collateral requirements that may prevent similar synthetic borrowing attacks.
• Institutional on‑chain moves – track further partnerships from Apollo, BlackRock or other firms that could signal confidence or pressure for higher security standards.

The hack proves that while DeFi continues to attract traditional finance capital, its security foundations must evolve before larger pools of institutional money can be safely absorbed.