KelpDAO/LayerZero Hack: How a 90M Exploit Exposed DeFi’s Hidden Risks and Sparked Industry-Wide Change

KelpDAO/LayerZero Hack: How a $290M Exploit Exposed DeFi’s Hidden Risks and Sparked Industry-Wide Change

By Priya Sharma | 2026-06-20

The Incident/Update: KelpDAO’s rsETH Exploit

Saturday, June 15, 2026, marked a dark day for decentralized finance when KelpDAO’s liquid restaking token, rsETH, suffered a devastating ~$290 million hack—making it the largest DeFi exploit of 2026. The attack, preliminarily identified as being orchestrated by North Korea’s Lazarus Group, exposed critical vulnerabilities in DeFi infrastructure and sent shockwaves throughout the entire ecosystem.

>The technical mechanism behind the exploit was particularly concerning: the attacker exploited KelpDAO’s single-verifier configuration, which created a single point of failure that proved catastrophic when compromised. This design flaw, while seemingly minor in theory, allowed the attacker to manipulate the protocol’s core functionality and extract a staggering amount of user funds.

>Immediate aftermath saw protocols scrambling to respond. Aave V3 and V4 rsETH markets froze automatically, with new deposits and rsETH-based lending channels disabled to prevent further losses. SparkLend and Fluid quickly followed suit, freezing their rsETH markets in a coordinated effort to contain the damage.

>The exploit created a cascading effect across the DeFi ecosystem, with total value locked (TVL) dropping to $73.83 billion amid extreme market fear. This $13 billion outflow represented not just financial losses but a crisis of confidence in DeFi security protocols.

Technical Post-Mortem: How the Attack Unfolded

The KelpDAO exploit was a masterclass in sophisticated smart contract manipulation, combining multiple attack vectors into a devastatingly effective assault. Understanding the technical details is crucial for preventing similar incidents in the future.

>The core vulnerability lay in KelpDAO’s single-verifier approach, which created a centralized point of control in a supposedly decentralized system. The attacker exploited this by creating a phantom token burn that convinced the Ethereum contract to release 116,500 rsETH—tokens that should never have been minted in the first place.

>Attack timeline reveals the sophistication involved: – Initial vulnerability identification and exploitation – Phantom token minting through manipulated contract state – Coordinated extraction across multiple DeFi protocols – Market-wide freeze deployment to contain further damage This wasn’t a simple bug exploit—it was a coordinated attack that understood how different protocols interact with each other.

>Protocol interactions played a crucial role in the exploit’s success. The rsETH token wasn’t just used within KelpDAO—it was integrated into multiple lending platforms, creating a complex web of dependencies that the attacker strategically exploited to maximize their gains.

Governance Impact: Emergency Responses and Protocol Coordination

>In the wake of the exploit, the DeFi community demonstrated remarkable coordination and resilience. Leading protocols quickly established the “DeFi United” relief fund, which had already secured over US$300 million by April 30, 2026—showcasing the industry’s ability to respond collectively to crises.

>Major contributors to the relief effort included: – Mantle: significant financial contribution – Aave DAO: approximately 55,000 ETH total – Ethena: maintained zero rsETH exposure and >101% over-collateralization – Lido and Ether.fi: substantial protocol support – Over a dozen other prominent protocols coordinated response This coordinated response highlighted both the vulnerabilities exposed by the attack and the remarkable strength and solidarity within the DeFi community.

>Governance mechanisms were tested under extreme conditions. Protocols had to make rapid decisions about freezing markets, allocating funds to recovery efforts, and implementing temporary measures to prevent further exploitation. These decisions, made under pressure, demonstrated the importance of robust governance frameworks and clear escalation procedures.

TVL Shifts: Market Reactions and Reallocation

>The KelpDAO exploit triggered significant TVL shifts across the DeFi landscape as users and protocols reassessed risk exposures and security priorities. The $13 billion outflow wasn’t just panic selling—it represented a fundamental reassessment of DeFi security protocols.

>Protocol-specific impacts varied widely: – Aave: Frozen rsETH markets but maintained overall operations – Ethena: Declared zero rsETH exposure, maintaining stability – L2 solutions: Consolidated as users sought more secure alternatives – Restaking protocols: Increased scrutiny of security models These shifts weren’t just temporary—they represented a permanent change in how the market evaluates and prioritizes security considerations.

>Market sentiment shifted dramatically from optimism about restaking yields to heightened awareness of security risks. The exploit served as a wake-up call that DeFi can’t sacrifice security for yield, and that seemingly minor design decisions can have catastrophic consequences.

>Price context during the crisis showed Bitcoin holding steady around $63,879, Ethereum at $1,729.16, and other major cryptocurrencies experiencing volatility. This stability in major assets contrasted with the panic in DeFi protocols, highlighting the differential impact of security breaches.

Long-Term Prognosis: Lessons Learned and Future Security

>The KelpDAO exploit, while devastating, serves as a crucial learning opportunity for the entire DeFi ecosystem. The incident has already led to significant improvements in security practices, governance mechanisms, and protocol design principles.

>Security improvements being implemented across the ecosystem include: – Multi-verifier configurations to eliminate single points of failure – Enhanced testing protocols for cross-protocol interactions – Better emergency response mechanisms – More robust governance frameworks for rapid decision-making These improvements aren’t just about preventing similar attacks—they’re about building a more resilient and secure DeFi infrastructure that can withstand sophisticated attacks.

>Industry coordination has improved dramatically, with protocols now maintaining better communication channels and coordinated response plans. The “DeFi United” relief fund represents a new paradigm for industry cooperation, with protocols working together rather than in isolation during crises.

>User education has become a priority, with protocols investing more resources in helping users understand security risks and best practices. The exploit demonstrated that even sophisticated users can be caught in sophisticated attacks, making education crucial for ecosystem health.

>Regulatory considerations have also evolved, with increased attention on DeFi security practices and governance mechanisms. While the industry maintains its commitment to decentralization, there’s growing recognition that some level of oversight and standardization is necessary to protect users and maintain trust.

>For investors and users, the KelpDAO exploit serves as a reminder that DeFi, while offering incredible innovation and opportunity, carries significant risks that must be taken seriously. The incident has made the entire ecosystem more security-conscious and has accelerated the development of more robust, secure protocols.

Disclaimer

The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.