News
21 Apr 2026, 08:15
Arbitrum halts ETH transfers to contain fallout from KelpDAO hack

Arbitrum decided on an unprecedented move, freezing ETH to prevent further losses from the KelpDAO attack. The protocol may prevent some of the bad debt on its native version of Aave. Arbitrum has announced the freeze of 30,776 ETH held on Arbitrum One and traced it back to the KelpDAO . The tokens, valued at $71M, were not bridged back to Ethereum for mixing days after the hack, allowing Arbitrum a window of action. The chain’s Security Council decided to freeze the funds, as large hacks are becoming a burden for DeFi protocols. The funds were moved to a new secure wallet, not accessible to the hackers, and can only be released after a new governance decision by Arbitrum’s council. The Arbitrum Security Council has taken emergency action to freeze the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times,… — Arbitrum (@arbitrum) April 21, 2026 Arbitrum’s actions are one of the biggest freezes following a hack. The large losses in the past month raised the issue of freezing funds on time, despite the initial ethos of not censoring on-chain movements. The Security Council held a long discussion before deciding to act. In previous hacks, funds were rarely frozen, even by chains with the explicit right to blacklist wallets. In this case, Arbitrum decided to act and prevent bad debt contagion by reclaiming some of the lost ETH. Arbitrum joins wider decision to freeze ETH Arbitrum was the latest stage in a wider decision to contain the lost ETH and avoid DeFi contagion through bad debt. Aave immediately froze its two riskiest vaults to avoid more losses. Aave has still frozen ETH on several networks where it has native vaults. Update on rsETH incident: WETH reserves on the Ethereum Core V3 market have been unfrozen and users can supply WETH to Ethereum Core V3 again. WETH LTV remains at 0. WETH reserves on Ethereum Prime, Arbitrum, Base, Mantle, and Linea remain frozen. Aave service providers will… — Aave (@aave) April 21, 2026 The latest estimate of $196M in bad debt may diminish if the protocols are able to intercept and freeze some of the funds. Arbitrum used a forced state transition, which did not require the address owner to sign the transaction to a new wallet. The ability to move funds from wallets raises the issue of the censorship-free nature of crypto ownership. This time, the funds were taken from the wallet of a bad actor, setting a new potential standard for reacting to hacks. As Web3 attacks accelerated in Q1, protocols seek ways to quickly intercept funds and not rely on ad-hoc solutions. Following the hack, Arbitrum lost $300M in total value locked, down to $1.7B. Aave was down to $16.52B, down from around $25B before the hack. Arbitrum DAO saved its own funds Arbitrum DAO managed to save its own funds and prevent some of the bad debt on the L2 chain. Arbitrum may be affected heavily, as rsETH may not be fully backed on the L2 chain, but only on the Ethereum main net. Arbitrum has managed to claw back around 25% of the stolen funds. Currently, KelpDAO and other affected parties are negotiating with Layer Zero to discover the main flaw point for the hack and a way forward to recover losses. The recent hack was more influential due to the composability of DeFi, leaving multiple protocols exposed to rsETH and destroying multiple positions based on token collateral. Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank
21 Apr 2026, 08:00
Crypto Community Slams LayerZero: More Verifiers Won’t Stop The Next $290M Hack

LayerZero is facing heavy criticism for its response to the recent $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident. Related Reading: Bitcoin’s Decentralization Narrative Under Fire After Epstein Files Claims LayerZero Blames KelpDAO For $290M Exploit Over the weekend, liquid restaking protocol KelpDAO was the victim of an attack that drained over $290 million in rsETH from the project after malicious actors exploited a weakness in the protocol’s LayerZero-powered bridge. Two days later, LayerZero addressed the incident, which became the largest DeFi hack of 2026, just weeks after Drift Protocol’s $285 million exploit shocked the industry. LayerZero attributed the “highly sophisticated attack” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure attack rather than a protocol exploit, and affirming that “there is zero contagion to any other cross-chain assets or applications.” They explained that the protocol is built on a “foundation of modular, application-configurable security,” using Decentralized Verifier Networks (DVNs), independent entities responsible for verifying the integrity of cross-chain messages. The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions.” Per the post, the attackers swapped binaries for a custom payload to forge messages and used DDoS attacks to force failover to the poisoned nodes, triggering the DVN into confirming fake transactions. Based on this, LayerZero placed responsibility on KelpDAO for using a 1-of-1 verifier configuration instead of the multi-DVN recommendations: “This incident was isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.” Crypto Community Criticizes ‘Lack Of Accountability’ The crypto community reacted to the post-mortem, sharing its concerns about LayerZero’s response and criticizing the protocol for placing all responsibility only on Kelp’s security setup. “Imagine building a bridge and vehicles pays to cross, the bridge collapsed and you said it’s their fault for crossing the bridge. A classic clownery act from Bunch of clowns with zero accountability,” X user Saint wrote. Others questioned why LayerZero included a “1-of-1” configuration if the purpose of a DVN is customizable/modular security. “If the system allows this option, it’s not the fault of the customer who chose it—it’s a fundamental design flaw by the system that permitted it,” user Ditto wrote. “At the end of the day, the fact remains that the DVN RPC was compromised. DVN is a LayerZero product, and they are the ones who sold it to these teams,” he continued. Similarly, Chainlink community manager Zach Rynes accused the protocol of deflecting responsibility for the compromise of their own DVN node. He also criticized them for “throwing KelpDAO under the bus” for trusting LayerZero Labs’ setup that they “willingly support and only blocked after getting hacked, all while claiming everything worked as designed.” Meanwhile, Yearn Finance core team developer Artem K noted on X that the attack was described as a compromise of an RPC node and RPC poisoning, but that their own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added. Wrong Diagnosis, Wrong Fix? Analyst The Smart Ape also claims that LayerZero made the wrong diagnosis and offered the wrong solution. Notably, the protocol’s post-mortem suggested migrating all applications with 1-of-1 DVN configurations to multi-DVN setups to prevent similar attacks. However, the analyst pointed out that multi-verifiers won’t stop the next multi-million-dollar attack, asserting that they could fail as all DVNs read chain states from the same handful of RPC providers, which are mostly clustered on AWS or GCP. If five “independent” DVNs read from the same three RPC providers, an attacker who poisons those three RPCs will poison all five verifiers simultaneously. “If all your verifiers get fooled in the same way at the same time, the math collapses back to 1-of-1. Five clones are not five witnesses,” he added. Related Reading: Remember Arbitrum? This Analyst Just Predicted That A 7,400% Rally Is Coming To solve this, the analyst suggested that every verifier runs its own full node on different client software, hosted on different cloud providers, maintained by different ops teams, peered with different subsets of the Ethereum network. “The fix isn’t multi-anything. The fix is that verifiers should attest to their own substrate, not just to chain state. until you can audit a DVN’s upstream topology, which RPC providers, which client software, which clouds, which regions, ‘M-of-N secured’ is marketing copy for a property that hasn’t actually been built. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded. Featured Image from Unsplash.com, Chart from TradingView.com
21 Apr 2026, 07:30
Onchain Analysts Flag Justin Sun-Linked Wallet’s 274 Million USDT Exit From Aave Minutes After rsETH Freeze

A wallet linked to Justin Sun by onchain analysts withdrew 274 million USDT from Aave just 21 minutes after the protocol froze its rsETH markets on April 18, following the KelpDAO exploit. Key Takeaways: A wallet linked to Justin Sun pulled 274 million USDT from Aave 21 minutes after the rsETH market was frozen. The
21 Apr 2026, 07:06
Arbitrum Freezes $100M+ in ETH Linked to KelpDAO Exploit

Arbitrum freezes 30,000 ETH linked to the KelpDAO exploit. The funds were moved to secure the frozen wallet to block the attackers’ access. LayerZero blames the platform’s single-verifier setup. The Arbitrum Security Council has stepped in with emergency measures after the recent KelpDAO exploit. The platform has reportedly frozen more than 30,000 Ether tokens linked to the attacker on Arbitrum One. The council is now moving in coordination with law enforcement to secure the funds. The platform also ensured that no users or applications on the network were impacted. Arbitrum Council Takes Emergency Action in KelpDAO Exploit According to an X post earlier today, the Arbitrum Security Council has taken action after identifying the funds linked to the KelpDAO exploit. The council announced the freezing of 30,766 ETH linked to the hacker, focusing on protecting users and maintaining trust in the network. The X post stated, “After significant technical diligence and deliberation, the Security Council identified and executed a technical approach to move funds to safety without affecting any other chain state or Arbitrum users.” Instead of taking any action that could disrupt the normal activity of the network, the team carefully chose a path that would isolate the issue. The council needs to keep the rest of the ecosystem running smoothly. Notably, the Arbitrum team’s aim was to ensure that the funds could no longer be accessed by the KelpDAO attacker. They also wanted to ensure that no users are affected. The team also made sure that the applications and the overall blockchain remain intact. Following extensive technical review and careful planning, the Arbitrum team executed a strategy to safely transfer the funds without affecting the broader chain. As of April 20, the ETH has been moved to a frozen intermediary wallet. This cut off the exploiter’s access. Any further movement of these funds will now require approval through Arbitrum’s governance process in coordination with relevant authorities. KelpDAO Exploit Explained The KelpDAO exploit is one of the biggest crypto hacks in 2026. The attackers managed to drain about $300 million worth of rsETH from the protocol. The issue came from a vulnerability in KelpDAO’s cross-chain bridge. This allowed unbaked tokens to be minted and moved across networks. Once the attacker gained control of the system flaw, the stolen rsETH was quickly used across major DeFi platforms like lending protocols to borrow assets such as ETH. This created a ripple effect across the ecosystem, forcing multiple protocols to pause markets and review exposure to the affected token. In response, KelpDAO immediately paused its rsETH contracts and worked with security teams and partners to contain the damage. The rapid action helped limit further losses. LayerZero Blames KelpDAO’s Security Setup Following the KelpDAO exploit, LayerZero pointed to the platform’s security setup as a key reason behind the hack. According to LayerZero, KelpDAO was using a single-verifier system, despite earlier warnings against this approach. https://t.co/3vIHs3Xgs4 — LayerZero (@LayerZero_Core) April 20, 2026 The platform added that the attackers targeted the underlying infrastructure of KelpDAO, instead of attacking the protocol’s code directly. The attackers managed to take control of two RPC nodes, which were being used by LayerZero’s system to verify transactions. Then they replaced the software on those nodes with malicious versions. These altered nodes fed false information to LayeZero’s verifier. This makes it believable the fake transaction was real, still showing normal data to everyone else.
21 Apr 2026, 07:03
Ripple CTO warns cross-chain bridges may face KelpDAO-like exploits

Ripple’s Chief Technology Officer, David Schwartz, has issued a fresh warning to the decentralized finance (DeFi) sector, cautioning that widely used cross-chain bridges may be vulnerable to the same structural weaknesses that enabled the recent KelpDAO exploit, one of the largest crypto hacks of 2026. On X, he said he had reviewed several DeFi infrastructures, focusing solely on security and risk. His remarks come days after attackers drained roughly $292 million worth of assets from KelpDAO’s rsETH bridge, a breach that has reignited concerns about the security of cross-chain infrastructure. Based on his research, he determined that most DeFi systems include top-tier security tools, but the very mechanisms designed to prevent KelpDAO-style attacks are treated as optional. This, he says, is largely because teams don’t want to bear additional operational complexity costs. He wrote, “They generally in effect recommended not bothering to use the most important security mechanisms because they have convenience and operational complexity costs.” Schwartz said his concerns emerged during evaluations of bridge systems for Ripple’s planned RLUSD stablecoin . While many protocols appear robust in design, he argued that real-world deployments often fall short because teams prioritize convenience and rapid expansion over strict security practices. Schwartz says DeFi platforms prioritize cross-chain expansion over security In his post, Schwartz also highlighted that the rush to scale across chains has created a growth-first, safety-second culture in which the most important safeguards are being ditched. He asserted that most platforms’ selling points emphasize easy integration , with the unspoken expectation that the most robust security tools wouldn’t actually be used. Additionally, he said the KelpDAO attack reflects a dangerous pattern in which teams opt for convenience over the best-in-class security already available to them— similar to what he observed during his DeFi evaluations. He stated, “I have a funny feeling part of the problem is going to be something like KelpDAO choosing not to use key LayerZero security features out of convenience.” More recently, some analysts also sounded the alarm that Wrapped XRP (wXRP) on Solana could be the next domino to fall, since it relies on third-party issuers, and it carries the same counterparty risks that just cost KelpDAO $292 million. XRP Ledger validator, VET on X, wrote, “wXRP is an issued asset; it doesn’t come close to holding native XRP via self-custody from a risk POV.” However, some cross-chain protocols have already started putting up defenses. Flare, for instance, temporarily suspended FXRP bridging activity, holding off any token redemptions. How did KelpDAO lose $292 million? Some $292 million was lost in the KelpDAO exploit, and early findings showed that the North Korea-linked Lazarus Group , and in particular TraderTraitor, was complicit. In a single transaction targeting Kelp’s LayerZero bridge, an attacker stole 116,500 rsETH, or around 18% of the token’s circulating supply. The exploit was intended to poison the RPC infrastructure by gaining access to sufficient RPC endpoints used by LayerZero Labs’ DVN to vet transactions. However, this breach affected only KelpDAO’s rsETH configuration, with no spillover across any other cross-chain assets or applications. Blockchain investigator ZachXBT first sounded the alarm on his Telegram channel, and later security companies Cyvers and PeckShield quickly corroborated the theft. Cyvers also showed the hacker topped up their wallet with Tornado Cash just 10 hours before the attack — an old-hat trick to cover their tracks before a heist. Following the exploit, the tokens were deposited into Aave V3 to borrow ETH and WETH, and blockchain data later revealed subsequent laundering through Tornado Cash. The attacker had taken out roughly 74,000 ETH and WETH in loans, building over $236 million in liabilities across three lending platforms, with one wallet holding approximately $120 million in ETH from Aave. Schwartz had also commented soon after the KelpDAO exploit. He described the attack as sophisticated and noted that it exploited KelpDAO’s lack of oversight. Ripple’s former CTO, Joel Katz, also blamed KelpDAO’s flimsy security setup for the exploit and contended that, unlike the firm, RLUSD takes a security-first approach to bridging. The crypto card with no spending limits. Get 3% cashback and instant mobile payments. Claim your Ether.fi card.
21 Apr 2026, 07:00
AAVE Price Plummets By 26%: $9 Billion Net Outflows Traced To Kelp DAO Hack

A $292 million hack tied to restaking protocol Kelp DAO has rippled through decentralized finance (DeFi) lending and market confidence far beyond the original incident, with Aave emerging as one of the hardest-hit examples. Over the weekend, Aave’s native token (AAVE) fell by about 26%, while the protocol also saw a sharp decline in total value locked (TVL) and continued outflows that intensified the downturn. Kelp DAO Hack Sparks Aave Crisis The chain of events began with the attacker draining roughly 116,500 rsETH—valued at about $292 million—from Kelp DAO’s LayerZero bridge. The stolen staking tokens were then used as collateral on Aave V3, enabling the attacker to borrow approximately $236 million in WETH. Because the rsETH later became effectively unbacked, the collateral underpinning those positions is not liquidatable, leaving the borrowed funds stranded within the lending system. As a result, Aave is now facing a $280 million in bad debt that it cannot directly recover. Related Reading: Remember Arbitrum? This Analyst Just Predicted That A 7,400% Rally Is Coming The impact on users and depositors was swift. With Aave’s ETH pool reaching 100% utilization, the protocol essentially has almost no available ETH left for withdrawals. In practical terms, that means users looking to exit quickly may already be confronting liquidity limits at the pool level. As crypto portfolio manager Pratik Kala put it, the fear wasn’t about losses that Aave created itself, but about the protocol carrying a gap it did not make—prompting withdrawals driven by uncertainty. Kala likened the behavior to a bank run, summarizing the dynamic as “withdraw first, ask questions later.” Since Saturday, when the heist news first emerged, Aave has recorded around $9 billion in net outflows. Total value locked on the platform fell by more than a third, dropping to about $17.5 billion. The damage was not confined to Aave. DefiLlama data indicate that across all decentralized lending protocols, TVL fell by roughly $13 billion within 48 hours. Price 86% Below All-Time Highs As markets digested the fallout, Aave’s token performance also reflected the heightened stress. On Monday, AAVE was down about 26% from a one-month high of $118 recorded last Friday, after the broader crypto rally earlier last week. Related Reading: XRP A Strong Buy Before 2027 Despite 27% Drop In 2026: Finance Advisory Firm At the time of writing, AAVE was trading around $88 per token. CoinGecko data further highlights the precariousness of the asset: the cryptocurrency is reportedly about 86% below its all-time high of $661. Aave has responded to the situation by moving to contain further risk. The protocol froze rsETH markets on its platform. On Sunday, Aave said its own analysis indicates that rsETH traded on Ethereum remains fully backed; however, it kept restrictions in place as a precaution. Featured image from OpenArt, chart from TradingView.com










































