Subscribe for daily free DeFi news covering launches, tradable catalysts, and actionable farming opportunities.

Issues⚠️

• KelpDAO’s rsETH bridge was exploited for $292M via a LayerZero configuration flaw. An attacker forged a cross-chain message that tricked Kelp’s bridge into releasing 116,500 rsETH (~18% of supply) with no ETH locked on the source side — effectively minting unbacked rsETH out of thin air.

  • The bridge was secured by a 1-of-1 DVN validator stack on a $1.5B+ protocol; unconfirmed reports point to a compromised LayerZero Labs signer key.

  • The attacker deposited the unbacked rsETH on Aave V3/V4, Compound V3, and Euler, borrowing ~$236M in WETH before Kelp’s emergency pause fired 46 minutes later. The positions are unliquidatable, leaving Aave with ~$177–196M in bad debt, Compound ~$39M, Euler <$1M.

  • Aave’s WETH pool hit 100% utilization as $5.4B fled the protocol; suppliers can no longer withdraw. Spark and Fluid also froze rsETH markets.

  • The drained mainnet reserve backed wrapped rsETH across 20+ networks, including Ethereum, Arbitrum, Base, Linea, Blast, Mantle, Scroll, Optimism, and Mode. Redeemability on every non-mainnet chain is an open question.

  • No loss-distribution plan, recovery, or negotiation update from KelpDAO yet. This is a developing story.

  • LayerZero has published its official report on the $290M KelpDAO rsETH exploit, attributing the attack to North Korea’s Lazarus Group.

    • The attackers secretly replaced the bridge’s transaction verification system (RPC Nodes) with fake ones, then knocked out the legitimate ones to force the bridge into confirming transactions that never happened.

    • The attack only affected KelpDAO because they used a single verifier instead of multiple independent ones as recommended by LayerZero, meaning there was no backup to catch the fraud.

    • All other LayerZero integrations remain unaffected.

• YO Protocol has temporarily paused its yoETH vault due to 1.9% indirect exposure to rsETH through earnETH, with redemptions already initiated. All other vaults remain unaffected.

Updates on Protocols Related to KelpDAO Exploit:

• Following the KelpDAO rsETH exploit, over 20 protocols paused their LayerZero OFT bridges as a precaution, including Ethena, Ether.fi, Curve, Morpho, Kamino, Lombard, Beefy, and Pudgy Penguins. Most confirmed no direct rsETH exposure, with user funds reported as safe across all affected protocols.

• Midas has paused all mToken minting and redemptions as a precaution following the rsETH exploit, with smart contracts unaffected. Strata also confirmed no direct impact, with srmM1-USD and jrmM1-USD remaining fully operational.

• Maple Finance withdrew all USDT supplied on Aave Mantle by syrupUSDT and confirmed syrupUSDC and syrupUSDT have no exposure to the rsETH exploit.

• Compound is proposing to disable rsETH as collateral for borrowing across Layer 2 markets (Arbitrum, Base, Linea, Optimism, Unichain) in response to the Kelp DAO exploit.

• Mantle temporarily paused bridging as a precautionary measure following the rsETH incident involving KelpDAO.

Exit Options For WETH Lenders:

• Fluid launched an aWETH Redemption Protocol allowing Aave ETH lenders to exit into wstETH or weETH immediately, with $1B in initial capacity and support from Lido, Ether.fi, and others.

• 1inch enables swapping aEthWETH for WETH on the secondary market at roughly a 2% discount. 1inch co-founder Sergej Kunz used the situation to highlight structural flaws in shared-pool lending, announcing intent-based P2P lending as 1inch’s next product.

Other Issues⚠️

• Vercel, a major web hosting platform used by some DeFi frontends, has confirmed a security breach involving unauthorized access to internal systems after a third-party AI tool’s Google Workspace OAuth app was compromised. Vercel advises users to rotate keys immediately while the investigation continues.

• Rhea Finance, a DeFi lending protocol on NEAR, was exploited for $18.4M on April 16 through a slippage protection flaw in its margin trading feature, with the attacker using fake token pools to bypass safeguards. Around $8.7M has since been recovered or frozen, with the protocol paused and recovery efforts ongoing.

• Drift Protocol has announced a recovery plan following its $240M April 1 exploit, securing nearly $150M in support from Tether and other partners through a $100M revenue-linked credit facility, ecosystem grants, and market maker loans.

  • The protocol will relaunch with USDT settlement, issue a new recovery token to affected users, and introduce a community-governed multisig with independent audits before going live again.​​​​​​​​​​​​​​​​

  • Circle is facing a class action lawsuit over its failure to freeze $230M in USDC transferred via its CCTP bridge during the Drift Protocol hack, with plaintiffs arguing Circle had the technical ability to intervene but chose not to.

  • Circle has not yet responded, while ARK Invest defended the decision, warning that arbitrary freezing without legal orders sets a dangerous precedent.

• CoW DAO detailed cow.fi domain hijack as a registry-level social engineering attack enabling unauthorized registrar transfer and DNS takeover, serving phishing site for several hours with ~$1.2M estimated user losses while frontend, backend, and smart contracts remained uncompromised

DeFi📈

• Circle launched its own official USDC Bridge, offering native burn-and-mint transfers that eliminate the need for wrapped tokens or liquidity pools, giving users genuinely native USDC on the destination chain with no route selection, automatic destination gas, and transparent fees.

• Catalysis has launched on Ethereum, introducing Covered Vaults — vaults with onchain risk coverage in which payouts execute automatically if a covered event occurs. The first vault is a Gauntlet-curated WETH Prime vault live on Morpho with active coverage.

• Elemental, a yield aggregator protocol on Solana, has relaunched as V2 with fresh smart contracts, new multisigs, and isolated vault designs that separate strategies into individual vaults for clarity. The first launch is a USDT vault on Solana for +5% APR, deploying to Kamino and Loopscale.

Stablecoins/RWA🪙

• Jupiter launched xStocks collateral on Jupiter Lend with SPYx, QQQx, NVDAx, and TSLAx, enabling up to 75% LTV borrowing and ~3.8x leverage while earning xPoints on positions.

• Superstate launched FundOS, an onchain fund infrastructure enabling asset managers to deploy mutual funds, ETFs, and private funds with real-time settlement, 24/7 flows, and DeFi integrations.

Perps DEX📉📈

• Grvt integrated Aave V3, enabling users to earn up to 11% APY on trading collateral with a unified balance while maintaining perpetual trading exposure.

Privacy🔒

• Husher launched a private transfer and instant swap service on Solana, enabling near-instant transactions with unlinkable wallet activity and low-fee execution.

Airdrops🪂

• USD.AI is launching its $CHIP token on April 21, 2026 — a TGE for the AI-backed stablecoin protocol.

• Spark added spUSDT deposits to the Season 4 points program, allowing users to earn 1 point daily per USDT deposited.

Farms

• Pendle increases USDG incentives to $40,000 per week through pool maturity.

For sponsorships, questions, or news tips, reach us at: support@todayindefi.com

Farm BTC premium for up to 13% APY