The founder of Tron, Justin Sun, has publicly appealed to the hacker behind the $293 million KelpDAO drain. According to his X tweet, Justin Sun asked the hacker to strike a deal with KelpDAO not to inflict additional harm on the restaking platform and the lending protocol Aave, where the funds had been leveraged as collateral.
“You can’t spend $300 million anyway,” Sun noted, highlighting the practical challenges of laundering or liquidating such a massive sum in today’s tracked blockchain environment.
KelpDAO’s hack leads to an ongoing fallout
The hack unfolded on April 18 after the hackers attacked the KelpDAO LayerZero bridge, draining 116,500 rsETH tokens from the pool. This represents liquid restaking derivatives for the staked Ether.
KelpDAO is a multicoin liquidity staking protocol with $1.5 billion in value locked at the time. KelpDAO acted swiftly, suspending all its multisig governance functions, deposit pools, withdrawal pools, oracles, and even the rsETH token on the mainnet and Layer-2 networks.
Inquiries into the LayerZero network have begun to uncover the underlying reason for the hack, which is said to have stemmed from a single DVN deployment that resulted in a critical flaw.
From there, the attacker moved the illegal rsETH tokens as collateral on Aave and borrowed large sums of actual ETH, causing bad debts to accrue. Contagion set in: Aave’s users began withdrawing funds at a rapid pace, with estimates exceeding $54 billion in assets being pulled from liquidity markets.
Justin Sun was also able to recover about 65,584 ETH ($154 million). At the time of writing, the protocol is still frozen despite the decreasing TVL numbers in DeFi.
Sources told Cryptopolitan that L1 rsETH is completely collateralized, and the pertinent Aave market is “completely solvent.”
In a particular message, it was reported that weETH was unaffected, that liquid vaults were functioning normally, and that LiquidETH and LiquidUSD customers would not experience drawdowns, since any losses from higher borrowing expenses in Aave would be offset.
KelpDAO’s hack tied to an insider job
Adding fuel to the fire of the KelpDAO fiasco is the emerging suspicion that the hack could very well have been an insider job. Crypto community observers suggest that KelpDAO was warned 15 months prior to the attack in their governance forums about the 1/1 DVN issue in LayerZero.
The protocol’s decision to deploy the weakest possible security setup—a single verifier for a bridge holding hundreds of millions—despite its scale has raised eyebrows.
Traders have traced a similar pattern from previous hacks, now flagged as insider jobs. For example, the BTER exchange breach in 2014.
DeFi hacks terrorize 2026 crypto traders
The KelpDAO hack is the biggest attack on DeFi in 2026 to date, following close on the heels of an even bigger hack. On April 1, Drift Protocol, a Solana-based perpetual exchange, was hacked for $285 million, according to security analysts, who linked the attack to a complex six-month social engineering operation carried out by hackers affiliated with North Korea (UNC4736, or Lazarus Group).
Hackers allegedly gained access to Drift Protocol’s internal Telegram channels and employed malware to steal users’ funds before moving them to Ethereum.
Also, in April, other hacks have been reported on Hyperbridge, Grinex Exchange, and Rhea Finance.
