When a single misconfigured signature is all it takes to create $292 million in tokens from nothing, the entire premise of trustless finance looks a lot shakier than the name suggests.
How the Attack Worked
On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge - powered by LayerZero - to drain 116,500 rsETH tokens worth approximately $292 million. That's about 18% of rsETH's entire circulating supply, conjured out of a flaw that wasn't in LayerZero's protocol itself but in how Kelp had configured it.
The setup relied on a single verification point to authorize cross-chain messages. The attacker found it, exploited it, and a message went through that shouldn't have. "One signature and 116,500 rsETH materialized out of thin air on Ethereum," as researchers later described it. Those tokens were then used as collateral to borrow real assets - mostly from Aave - and drained before the protocol could pause.
English (US)