The biggest DeFi heist of 2026, hackers easily took advantage of Aave

By: rootdata|2026/04/19 01:12:22
0
Share
copy

Author: Xiao Bing, Shenchao TechFlow

On the evening of April 18 at 17:35 (UTC), a wallet that had laundered money through Tornado Cash sent a cross-chain message to the LayerZero EndpointV2 contract.

The message's meaning was simple: a user on a certain chain wanted to transfer rsETH back to the Ethereum mainnet. LayerZero faithfully conveyed the instruction according to the protocol design. The bridging contract deployed by Kelp DAO on the mainnet also executed the release faithfully as designed.

116,500 rsETH, worth approximately $292 million at the time, was transferred in a single transaction to an address controlled by the attacker.

The problem is that no one on the other chain had ever deposited this rsETH. This "cross-chain request" was fabricated out of thin air; LayerZero believed it, and Kelp's bridge believed it.

Forty-six minutes later, Kelp's emergency multi-signature finally hit the pause button. By this time, the attacker had already completed the latter half of the action, using the stolen, essentially uncollateralized rsETH to collateralize in Aave V3, borrowing approximately $236 million worth of wETH.

This is the largest DeFi theft of 2026 so far, surpassing the Drift protocol, which was attacked by North Korean hackers on April 1 by several million dollars, but what truly sends chills down the spine of the industry is not just the amount.

How the Attack Happened: Three Bets from 17:35 to 18:28

Let's restore the timeline.

17:35 UTC, the first success. The attacker called the lzReceive function on the LayerZero EndpointV2 contract, and a wallet funded by Tornado Cash sent a fabricated cross-chain data packet to Kelp's bridging contract. The contract verification passed, and 116,500 rsETH was released to the attacker's address. A single transaction. Clean.

18:21 UTC, Kelp's emergency pause multi-signature froze the core rsETH contracts on the mainnet and multiple L2s. 46 minutes after the attack occurred.

18:26 and 18:28 UTC, the attacker initiated two more attempts, each time attempting to withdraw 40,000 rsETH (approximately $10 million) with a LayerZero data packet. Both were reverted; the contract had already been frozen, but the attacker was clearly still trying to siphon off the remaining liquidity.

From the first success to Kelp's public statement, nearly three hours elapsed.

Kelp's first X post was not sent until 20:10 UTC, and the wording was very restrained: suspicious cross-chain activity involving rsETH was detected, the rsETH contracts on the mainnet and multiple L2s had been paused, and they were collaborating with LayerZero, Unichain, auditors, and external security experts for root cause analysis.

However, earlier than the official statement, ZachXBT, an on-chain detective, raised the alarm in his Telegram channel before 3 PM Eastern Time, listing six wallet addresses related to the theft and pointing out that the attack wallet had prepared funds through Tornado Cash before starting its actions. He did not name Kelp DAO, but on-chain analysts connected the addresses in just a few hours.

This was a **premeditated operation executed

You may also like

Semiconductor stocks plummet, yet Anthropic wants to create a 2nm chip

Abandoning TSMC and teaming up with Samsung. Anthropic launches a self-developed 2nm chip program, challenging Nvidia and starting a battle to break through computing power costs.

Where is Zhao Changpeng's billion-dollar investment going? YZi Labs' investment landscape fully revealed

Zhao Changpeng's billion-dollar new "family office" YZi Labs investment landscape revealed: 70% of the funds are committed to the crypto ecosystem, while 30% are cross-industry bets on AI and biotechnology, launching a new capital experiment in the post-Binance era.

Ethereum Foundation Report: A Basic Guide to Ethereum for Governments and Financial Institutions

The Ethereum Foundation has released this non-technical introductory report aimed at government officials, central banks, regulators, and corporate decision-makers, explaining how Ethereum works, how it is governed, how it differs from other blockchains, and how institutions and governments are alre...

A pre-announced harvesting case: After the cryptocurrency price dropped by 99%, the public chain Saga exited to transform into AI

True failure often isn't a single price drop, but rather a pricing mechanism that repeatedly rewards those who tell stories while repeatedly punishing those who believe in the stories.

When American giants collectively "defect" from Chinese AI models

Coinbase CEO publicly stated: the company has fully switched its AI to a Chinese model, cutting expenses in half while usage has doubled. Snowflake and Lindy are also doing the same thing—an unnoticed "AI model migration wave" is happening.

BIS Report Compliance Observation: The Real Risks of Stablecoins, Not Just "Depegging"

The issue with stablecoins is not just whether their price will decouple, but whether they can be integrated into a recognizable, monitorable, accountable, and regulated financial system.

Popular coins

Latest Crypto News

Read more
iconiconiconiconiconiconicon
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com