A hacker struck Kelp DAO’s cross-chain bridge on April 18, 2026, at 17:35 UTC. Nearly 116,500 rsETH—worth about $290 million—vanished in one transaction. This restaking token, meant to let users earn yields across chains, became the biggest DeFi exploit of the year. Surpassing even Drift Protocol’s $285 million loss earlier that month. The attack exploited LayerZero’s Omnichain Fungible Token adapter. Attackers poisoned RPC nodes. They forged a message pretending to originate from Unichain, Uniswap’s Layer 2. Kelp DAO’s single-verifier setup—LayerZero Labs as the sole Decentralized Verifier Network—proved fatal. A DDoS on honest nodes forced failover to the tainted ones. No keys stolen. No protocol bug. Just clever infrastructure sabotage, Galaxy Research reports . rsETH holders on 20 Ethereum Layer 2s watched their tokens turn unbacked. About 18% of circulating supply drained. Kelp paused contracts 46 minutes later, blocking two more grabs worth $100 million. But damage spread fast. The thief didn’t dump.…