A $300 Million Dollar Hack that Could Fix DeFi
How a North Korean hacking squad turned a bridge exploit into DeFi's most clarifying crisis.
Good morning my tasty friends, I hope you’re all having a wonderful start to the weekend.
A quick update on the market from me, then we’re passing it to Dan for a special edition of this week’s newsletter.
Crypto Market Update - 4-25-26
BTC has broken free from the its multi-month range and that beautiful green is flashing brightly alongside the stock market’s all time highs.
Per our prior analysis which you can read in “Pareidolia” and updated in last week’s “Everything is Awesome! Right?” we’re not yet seeing any change to weekly price momentum. On the daily timeframe, momentum is bullish, but this conflicts with the bearish momentum across the intermediate weekly period.
When/if this changes, there will be signs. You can believe we are watching closely. We still believe in blast off mode.
As we remain standing on the ground...
Prices are drifting higher, but within the 3-month trend. It’s getting brighter as we wander through the woods, but the bears still quietly move among us.
Looking ahead, the options market is currently pricing in a break of 80k on the upside, while low 70k is still a very realistic probability over the next week.
Generally speaking, the prior week’s themes remain a constant. Crypto is moving in lockstep with stocks, very short-term stock/crypto correlations are nearing extremes.
Recent dollar weakness has been a tailwind.
BUT, if anything happens in Iran over the weekend to upset the market’s feel good vibes, we’re probably trading closer to 70k than where we are now.
Personally I’m feeling a little passion again and will look to get active within a 75-85k range, unless of course that green daily momentum changes colors again.
On the economic front, it’s possible recent fears of stagflation are overblown and we see signs of improving economic growth in the coming months. The stock market is trading like this is the path forward currently.
The calendar was a bit light this week, though retail sales experienced a nice acceleration m/m. Next week we’ve get housing, inflation, and manufacturing data, a look at Q1 GDP, and of course a Federal Reserve interest rate decision. - The market is pricing in no change to interest rates. Watch the data. There will be signs.
Not everyone will see the signs.
That’s it for me for this week, but before we wrap, make sure to check out Shelley’s new series on tastylive’s YouTube Channel, especially if you’re relatively new to the world of crypto.
Keep your head on a swivel.
And, as always…
Stay tasty,
Ryan
DeFi’s most clarifying crisis
On Saturday, April 18, hackers drained approximately $292 million from KelpDAO, a crypto protocol that most people outside of DeFi have never heard of. Within 48 hours, the damage spread across the entire decentralized finance ecosystem. Billions in deposits fled lending platforms, borrowing rates spiked, and some of the biggest names in crypto scrambled to prevent a full-blown liquidity crisis.
It’s already the largest DeFi hack of 2026, and security firms have pinned it on North Korea’s Lazarus Group, the same state-sponsored operation behind last year’s $1.5 billion Bybit breach.
Here’s what happened, how the hackers cashed out, and why one protocol’s problem became everyone’s problem overnight.
First, what is KelpDAO and rsETH?
To understand the hack, you need to understand what KelpDAO does. It’s not complicated once you strip away the jargon.
When you stake Ethereum (locking up your ETH to help secure the network), you earn rewards, like earning interest on a savings account. Protocols like Lido let you do this and give you a receipt token called stETH that represents your staked ETH. You can still trade or use that receipt while your original ETH earns rewards in the background. This makes it useful in Defi.
KelpDAO takes this one step further. It takes tokens like stETH and “restakes” them through a protocol called EigenLayer, generating additional yield. Think of it as stacking rewards on top of rewards. In return, you get a new receipt token called rsETH.
The appeal is straightforward - you hold rsETH, and it earns yield from multiple sources at once. You can also use rsETH across DeFi as collateral for loans, in liquidity pools, or in other yield strategies. Before the hack, rsETH had a circulating supply of around 630,000 tokens, a marketcap of over $1billion, and was integrated across more than 20 different protocols and chains.
To make rsETH available on all those networks, KelpDAO used a bridge, a system that locks rsETH on one blockchain and issues matching copies on another. The bridge is the critical piece of infrastructure at the center of this hack.
How the Exploit Happened
This wasn’t a case of bad code in a smart contract. There was no reentrancy bug or oracle pricing trick. The attack targeted an off-chain verification system that the bridge relied on to confirm transactions were legitimate.
KelpDAO’s bridge used LayerZero, a widely adopted cross-chain messaging protocol. LayerZero uses a Decentralized Verifier Network (DVN) to check that a transaction on one blockchain actually happened before acting on it on another chain. The DVN acts as the security guard checking IDs at the door.
The problem? KelpDAO ran a verification system with only 1 verifier, meaning only a single verifier had to approve a cross-chain message for the bridge to release funds. There was no second check, no backup, no fail safe. One approval was all it took.
The attackers, North Korea’s Lazarus Group operating through their “TraderTraitor” unit, executed a two-pronged operation. First, they compromised two RPC nodes (the computers that feed blockchain data to the verifier). Then they launched a DDoS attack to knock out external fallback nodes, forcing the system into failover mode. With the verifier now relying on compromised data sources, the attackers fed it a fabricated cross-chain message, essentially a forged receipt saying tokens had been burned on the source chain when they hadn’t.
The bridge did exactly what it was designed to do. It saw an approved message and released the funds. It approved a lie.
The result: 116,500 rsETH, about 18% of the entire circulating supply, was drained from the bridge in a single transaction.
How the Hackers Used DeFi to Cash Out
Here’s where it gets interesting. The attackers didn’t just take the stolen rsETH and dump it on the open market. That would have been obvious, easy to front-run, and would have crashed the price before they could extract much value.
Instead, they went to Aave, the largest decentralized lending protocol in crypto. They deposited approximately 89,567 stolen rsETH as collateral and borrowed about $190 million in ETH and other assets across Ethereum and Arbitrum. It’s the crypto equivalent of depositing counterfeit bills at a bank and taking out a very real loan against them.
Once they had the borrowed ETH, which was fully legitimate and liquid unlike the tainted rsETH, the laundering began. The attackers split the funds across multiple wallets and began routing them through THORChain, a decentralized cross-chain swap protocol that operates without a central authority and has no “freeze” button. Over about 36 hours, around 75,700 ETH (approximately $175 million) was converted into Bitcoin via THORChain, generating over $800 million in trading volume on the platform, more than ten times its normal daily activity.
Smaller amounts were also moved through privacy-focused tools like Umbra (which uses stealth addresses) and Chainflip. Once converted to Bitcoin, a network with no administrative keys, security councils, or freeze mechanisms, the funds became difficult to recover.
DeFi Contagion and Drama
The hack itself was devastating, but the real story has been the contagion: how one protocol’s exploit cascaded across the entire DeFi ecosystem.
The Aave crisis. Because the stolen rsETH was deposited as collateral on Aave, the lending giant was suddenly holding a massive position backed by tokens that might be worthless. Aave’s incident report estimated it was facing between $124 million and $230 million in potential bad debt, depending on how the shortfall gets resolved. Aave froze rsETH reserves across Ethereum, Arbitrum, Base, Mantle, and Linea. WETH borrowing rates spiked to 8%, the highest since early 2024, while stablecoin borrow rates jumped from 3.4% to 14%.
The bank run. Panicked users didn’t wait around to see how it played out. Aave lost approximately $8.45 billion in deposits within 48 hours. Across all of DeFi, total value locked dropped by roughly $13 billion. It was one of the sharpest protocol-level liquidity contractions in recent DeFi history.
The peg problem. With such a large chunk of rsETH’s supply now unbacked, every holder had to ask a simple question: is my rsETH actually worth what it says it is? Tokens on Layer 2 networks were especially exposed, since the bridge that was supposed to back them had been emptied. SparkLend and Fluid froze their rsETH markets. Lido paused deposits into its EarnETH product, which had about 9% exposure to rsETH.
The blame game. KelpDAO and LayerZero immediately started pointing fingers at each other. LayerZero’s post-mortem said KelpDAO chose a risky single-verifier setup despite recommendations for multi-verifier redundancy. KelpDAO fired back, claiming the configuration was LayerZero’s own default setting in its documentation and quickstart guides, and that roughly 40% of protocols on LayerZero run the exact same setup. A KelpDAO source added that LayerZero had maintained a direct communication channel with them since July 2024 and never flagged the configuration as a problem.
The Arbitrum debate. In one of the most controversial moves, Arbitrum’s 12-member Security Council used emergency powers to freeze 30,766 ETH (roughly $71 million) on Arbitrum One that was tied to the exploiter. They executed a forced state transition, bypassing the attacker’s wallet controls entirely to move funds into a governance-controlled intermediary wallet. On-chain security researcher Taylor Monahan celebrated the move, calling it DeFi collectively taking $70 million back from North Korea. But Curve Finance founder Michael Egorov warned it sets a dangerous precedent, suggesting that if a security council can freeze anyone’s assets, it becomes hard to argue that certain traditional financial regulations shouldn’t apply to the chain itself. The decentralization purists have a point, even if most people were glad someone could hit the brakes in this case.
Recovery Efforts
The good news is that the DeFi community has mobilized faster and more collectively than in almost any prior incident.
A coordinated recovery initiative called “DeFi United” has emerged, led by Aave’s service providers, with the goal of recapitalizing rsETH and preventing forced liquidations across lending markets. The total rsETH deficit exceeds 100,000 ETH, and the effort focuses less on clawing back stolen funds and more on plugging the hole before a cascade of liquidations causes even more damage.
The commitments so far: Aave founder Stani Kulechov personally pledged 5,000 ETH. EtherFi proposed a 5,000 ETH contribution from its DAO treasury. Lido’s governance put forward up to 2,500 stETH (about $5.7 million), contingent on the full shortfall being covered. Golem Foundation contributed 1,000 ETH. LayerZero joined the coordination alongside Ethena, Arbitrum, and Kelp itself. Mantle also proposed a large loan to support Aave.
On the enforcement side, the $71 million frozen by Arbitrum’s Security Council remains locked in governance-controlled wallets pending further action. The bulk of the stolen funds have already been swapped to Bitcoin through decentralized protocols, putting them largely beyond practical recovery.
Lessons and Aftermath
It’s easy to look at a $300 million hack and conclude that DeFi is fundamentally broken. There are real, structural problems that this incident exposed. Cross-chain bridges remain one of the weakest links in the ecosystem. Single points of failure in verification systems are an invitation for sophisticated attackers. The interconnected nature of DeFi means contagion and liquidity runs can happen even if there is no direct compromise.
But there are real silver linings here too.
Speed of response. KelpDAO paused contracts within 46 minutes of the first alert. Aave froze affected markets within hours. Arbitrum’s Security Council acted within two days, coordinating with law enforcement. Compare that to the weeks or months it has historically taken traditional financial institutions to respond to major fraud events.
Collective action works for quick recovery. The “DeFi United” coalition represents something new: competing protocols and foundations setting aside rivalries to pool resources during a systemic crisis. Lido contributes stETH to protect Aave users, and EtherFi steps up despite having no direct obligation. These are the building blocks of a more resilient ecosystem.
Transparency is the norm, not the exception. Every transaction in this saga, from the initial exploit to the laundering to the fund freezes, happened on public blockchains. Chainalysis, PeckShield, ZachXBT, and dozens of other analysts traced funds in real time. Try doing that with a traditional bank heist.
The push for better standards. The incident has accelerated conversations around multi-verifier bridge configurations, time-delayed withdrawals for large transfers, and cross-chain invariant monitoring. These are systems that continuously verify tokens released on one chain match tokens burned on another. They are solvable engineering problems.
The KelpDAO hack exposed DeFi’s fragile trust assumptions between connected ecosystems. Yet the respons, freezing funds within hours, coordinating a multi-protocol bailout, tracing every dollar in real time, demonstrated something traditional finance has never achieved. If DeFi survives this crisis, it will be because the ecosystem proved it could act collectively when it mattered most.
Trading platform and brokerage: tastytrade
Crypto trade ideas and more content: YouTube
Follow: X
Disclaimer: None of this is to be deemed legal or financial advice of any kind and are solely the opinions of the authors. tastycrypto is provided by tasty Software Solutions, LLC. tasty Software Solutions, LLC is a separate but affiliate company of tastylive, Inc. and tastytrade, Inc. Neither tastylive, Inc. nor tastytrade, Inc. are responsible for the products or services provided by tasty Software Solutions, LLC. Cryptocurrency trading is not suitable for all investors.
using XRP as the bridge, with its multiple verification points may help this problem.