The KelpDAO exploit on April 18 isn't just the largest DeFi hack of 2026-it's a paradigm shift in how we think about security. The attackers stole 116,500 rsETH, worth about $290 million, not by finding a bug in the smart contract code, but by compromising something far more mundane: the project's internal RPC nodes.
This is what's known as RPC poisoning. The attackers fed the protocol's bridge false information about a burn event that never happened. The bridge, trusting the data, simply released the funds. A DDoS attack may have served as a distraction or forced the system onto compromised fallback infrastructure.
The critical flaw was a “1-of-1” verification setup-a single point of confirmation standing between the protocol and catastrophe.
The hack has been attributed to North Korea's Lazarus Group, specifically the TraderTraitor sub-group.
Following the exploit, DeFi protocols scrambled to halt rsETH transactions. An estimated $10 to $13 billion in total value locked fled the ecosystem as confidence cratered.
For investors, the lesson is clear: smart contract audits are no longer enough. The new questions must center on verification architecture. How many independent validators confirm cross-chain transactions? What happens if RPC nodes are compromised? A “1-of-1” setup is now a red flag.