On April 18, 2026, attackers drained about 116,500 rsETH, roughly $292 million, from a cross-chain bridge KelpDAO built on LayerZero. It is the largest DeFi hack of the year so far. I spend my days finding bugs in smart contracts, and the most uncomfortable thing about this hack is that finding bugs would not have stopped it. Here is the post-mortem and what it should change about how you think about security.
What actually happened
The bridge held the reserve of rsETH backing the token across more than 20 chains: Base, Arbitrum, Linea, Blast, Mantle, Scroll, and others. When the reserve drained, every wrapped version downstream was suddenly under-collateralized.
The root cause, per LayerZero's post-mortem, was not a Solidity bug. The attack began on March 6, six weeks earlier, when a developer was socially engineered. The contract code did what it was written to do. The keys that controlled it ended up in the wrong hands.
KelpDAO froze the system about 46 minutes after t
Discussion
Don’t hold back—comment!
Don’t wait—start sharing your ideas now!