KelpDAO hack highlights DeFi's shift from coding flaws to operational risks

DeFi has spent years obsessing over smart contract audits. The KelpDAO exploit on April 18 suggests the industry has been studying for the wrong exam.

Attackers stole 116,500 rsETH, worth approximately $290 to $293 million, by exploiting something far more mundane than a Solidity bug: a centralized verification process and compromised RPC nodes. It’s the largest DeFi hack of 2026, and it didn’t require finding a single flaw in on-chain code.

How the attack actually worked

The attackers compromised KelpDAO’s internal RPC nodes through a technique known as RPC poisoning, feeding the protocol’s bridge fabricated information about a burn event that never actually occurred. The bridge, trusting the data it received, released 116,500 rsETH to the attackers.

The operation also involved a DDoS attack, which likely served as either a distraction or a way to force the system onto compromised fallback infrastructure. The critical vulnerability wasn’t in the smart contracts themselves but in a “1-of-1” verification setup, meaning a single point of confirmation was all that stood between the protocol and catastrophic loss.