The biggest DeFi heist of 2026, hackers easily took advantage of Aave

Author: Xiao Bing, Shenchao TechFlow

On the evening of April 18 at 17:35 (UTC), a wallet that had laundered money through Tornado Cash sent a cross-chain message to the LayerZero EndpointV2 contract.

The message's meaning was simple: a user on a certain chain wanted to transfer rsETH back to the Ethereum mainnet. LayerZero faithfully conveyed the instruction according to the protocol design. The bridging contract deployed by Kelp DAO on the mainnet also executed the release faithfully as designed.

116,500 rsETH, worth approximately $292 million at the time, was transferred in a single transaction to an address controlled by the attacker.

The problem is that no one on the other chain had ever deposited this rsETH. This "cross-chain request" was fabricated out of thin air; LayerZero believed it, and Kelp's bridge believed it.

Forty-six minutes later, Kelp's emergency multi-signature finally hit the pause button. By this time, the attacker had already completed the latter half of the action, using the stolen, essentially uncollateralized rsETH to collateralize in Aave V3, borrowing approximately $236 million worth of wETH.

This is the largest DeFi theft of 2026 so far, surpassing the Drift protocol, which was attacked by North Korean hackers on April 1 by several million dollars, but what truly sends chills down the spine of the industry is not just the amount.

How the Attack Happened: Three Bets from 17:35 to 18:28

Let's restore the timeline.

17:35 UTC, the first success. The attacker called the lzReceive function on the LayerZero EndpointV2 contract, and a wallet funded by Tornado Cash sent a fabricated cross-chain data packet to Kelp's bridging contract. The contract verification passed, and 116,500 rsETH was released to the attacker's address. A single transaction. Clean.

18:21 UTC, Kelp's emergency pause multi-signature froze the core rsETH contracts on the mainnet and multiple L2s. 46 minutes after the attack occurred.

18:26 and 18:28 UTC, the attacker initiated two more attempts, each time attempting to withdraw 40,000 rsETH (approximately $10 million) with a LayerZero data packet. Both were reverted; the contract had already been frozen, but the attacker was clearly still trying to siphon off the remaining liquidity.

From the first success to Kelp's public statement, nearly three hours elapsed.

Kelp's first X post was not sent until 20:10 UTC, and the wording was very restrained: suspicious cross-chain activity involving rsETH was detected, the rsETH contracts on the mainnet and multiple L2s had been paused, and they were collaborating with LayerZero, Unichain, auditors, and external security experts for root cause analysis.

However, earlier than the official statement, ZachXBT, an on-chain detective, raised the alarm in his Telegram channel before 3 PM Eastern Time, listing six wallet addresses related to the theft and pointing out that the attack wallet had prepared funds through Tornado Cash before starting its actions. He did not name Kelp DAO, but on-chain analysts connected the addresses in just a few hours.

This was a **premeditated operation executed