Kelp DAO — a liquid restaking protocol in the Ethereum ecosystem — was exploited for approximately $290 million on April 18, 2026, forcing the project to pause rsETH contracts on both mainnet and multiple Layer 2 networks for investigation. The incident was identified as being related to security configurations in the cross-chain system using LayerZero, while the team and security partners continue to analyze the cause. Although not directly related to NFTs, this incident still makes NFT wallets more risky when interacting with DeFi, given the limited market liquidity.
What Happened in the $290M KelpDAO Exploit
According to an official announcement from Kelp DAO on April 19, the project detected “abnormal cross-chain activity involving rsETH” and immediately paused contracts to limit damage. At the same time, LayerZero — the messaging infrastructure provider — confirmed the exploit was related to KelpDAO’s configuration, with damages estimated at approximately $290 million.
https://t.co/3vIHs3Xgs4
— LayerZero (@LayerZero_Core) April 20, 2026
Initial analysis indicates that the incident did not originate from a core bug in LayerZero, but rather from how KelpDAO implemented its Decentralized Verifier Network (DVN) system. Specifically, the protocol used a “1-of-1 DVN” model — meaning it relied on a single verifier — creating a single point of failure. The attacker exploited this vulnerability by manipulating the RPC infrastructure, thereby sending fake messages that caused the system to confirm non-existent transactions.
LayerZero stated that the incident was “completely isolated” to KelpDAO’s rsETH configuration and did not spread to other applications or assets. Meanwhile, Kelp DAO said it is coordinating with LayerZero and auditing firms to investigate the matter, while maintaining the paused status of related contracts until further official conclusions are reached.
Why It Matters Beyond KelpDAO
Despite being confirmed as not widespread on LayerZero, the market reaction shows that risks can still spread through interconnected DeFi layers.
Aave TVL chart. Source: DefiLlama
Within hours of the incident, the AAVE token dropped about 17%, from $111 to $92. Aave’s Total Value Locked (TVL) also plummeted from about $26.3 billion to $20 billion, before continuing to decline toward $17.9 billion in the following days. The cause was that rsETH — an asset directly linked to KelpDAO — was used as collateral in the lending system, causing “bad debt” to appear in parts of the system and forcing protocols to pause certain markets.
On a broader scale, the total market DeFi TVL also dropped from approximately $99.4 billion to $86.2 billion, equivalent to a decrease of more than $13 billion in a short period.
Total DeFi TVL chart. Source: DefiLlama
Although considered ‘isolated’, the KelpDAO incident still spread rapidly through collateral positions and liquidity flows as DeFi layers became increasingly tightly linked.
How NFT Wallets Impact
The incident is not directly related to NFTs, and there is no evidence yet that NFT collections were attacked or technically affected. However, the boundary between NFT wallets and DeFi is almost no longer clear.
Many users do not just hold NFTs but also use the same wallet to participate in lending, staking, or restaking. In this case, NFTs can be used as collateral to borrow ETH, which is then deployed into protocols like KelpDAO to earn yield. When rsETH faces an incident, lending positions can quickly fall into a bad debt state.
This does not mean the NFT was “hacked,” but it can lead to indirect consequences, such as losing the ability to maintain loans, collateral liquidation, or getting liquidity trapped in paused protocols.
Even for those who merely hold NFTs, risk still exists if that wallet has interacted with DeFi smart contracts or granted permissions (approvals) to related protocols. When multiple applications share a single wallet, an incident in one protocol can pose risks to the rest of the assets.
What NFT Collectors Should Do Now
Following the KelpDAO incident, NFT collectors — especially those with wallets interacting with DeFi — should take some basic risk prevention steps:
Review and revoke approvals
Check and revoke permissions granted to smart contracts, especially if the wallet has interacted with restaking or bridges. You can use Revoke.cash for a quick review.
Separate high-value assets
Move high-value NFTs to a separate wallet that is not shared with wallets frequently interacting with DeFi.
Limit cross-chain activity (short term)
Temporarily limit bridging assets or interacting with cross-chain contracts, especially with infrastructure related to the incident, until clearer information is available.
Monitor lending positions (if applicable)
Track borrowing or margin positions, especially collateral levels and liquidation thresholds, to avoid being liquidated during market volatility.
Stay alert to phishing risks
Avoid accessing unverified links or fake “compensation” programs; only follow announcements from the project’s official channels.
Shared Risk Across Crypto Ecosystems
The $290M shock from KelpDAO shows that layers in the crypto ecosystem — from restaking and lending to NFTs — are increasingly tightly linked. An exploit does not need to target NFTs directly to create pressure on users through DeFi protocols.
While LayerZero maintains the incident did not spread to other applications, market reactions show that systemic risk lies not just in code or protocols, but in how liquidity and positions are connected across platforms.
In this context, risk no longer stops at an individual protocol — it can spread to all assets if they reside in the same wallet or the same chain of positions.
Credit: Source link