🚨KelpDAO's liquid staking token exploited for over $100m 🚨
https://etherscan.io/address/0x4966260619701a80637cdbdac6a6ce0131f8575e
https://etherscan.io/address/0x4966260619701a80637cdbdac6a6ce0131f8575e
Ethereum (ETH) Blockchain Explorer
Address: 0x49662606...131f8575e | Etherscan
Address (EOA) | Balance: $2,332.37 across 1 Chain | Transactions: 5 | As at Apr-18-2026 06:42:41 PM (UTC)
❤1
Elon Mush replies "Ok 😀" to making "Asteroid" (the Shiba Inu) the mascot for SpaceX
https://x.com/elonmusk/status/2045577165534875928?s=20
https://x.com/elonmusk/status/2045577165534875928?s=20
❤3
Ahboyash Reads
🚨KelpDAO's liquid staking token exploited for over $100m 🚨 https://etherscan.io/address/0x4966260619701a80637cdbdac6a6ce0131f8575e
Damage closer to $292 million as reported
https://www.theblock.co/post/397988/kelp-daos-rseth-bridge-apparently-exploited-for-roughly-292-million-in-layerzero-based-attack
https://www.theblock.co/post/397988/kelp-daos-rseth-bridge-apparently-exploited-for-roughly-292-million-in-layerzero-based-attack
The Block
Kelp DAO's rsETH bridge apparently exploited for roughly $292 million in LayerZero-based attack
Kelp's emergency pauser multisig froze the protocol's core contracts roughly 46 minutes after the successful drain, blocking two follow-up attempts.
❤1
Ahboyash Reads
🚨KelpDAO's liquid staking token exploited for over $100m 🚨 https://etherscan.io/address/0x4966260619701a80637cdbdac6a6ce0131f8575e
Marc Zeller advises to withdraw WETH positions on Aave V3 Core
https://x.com/Marczeller/status/2045583631184282047?s=20
https://x.com/Marczeller/status/2045583631184282047?s=20
❤1
Ahboyash Reads
Damage closer to $292 million as reported https://www.theblock.co/post/397988/kelp-daos-rseth-bridge-apparently-exploited-for-roughly-292-million-in-layerzero-based-attack
Aave responds, freezes rsETH markets on Aave V3 and Aave V4
https://x.com/aave/status/2045592139577602556?s=20
https://x.com/aave/status/2045592139577602556?s=20
❤1
The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge
Steps of the attack:
• rsETH (Kelp's liquid restaking token) can move between chains using LayerZero's messaging system. Kelp configured it so that only ONE "Decentralized Verifier Network" (DVN) which is by LayerZero Labs was needed to approve any transfer message
• Since it was a single point of trust, attackers gained control of the verification key/node tied to Kelp's own deployed contract on the source chain
• The sent a "fake" transfer message that claimed: "116,500 rsETH is being sent from another chain to Ethereum mainnet." (In reality, no rsETH was ever deposited or burned on the source chain)
• The attacker called a function called to trigger the release directly, because the single DVN "approved" the message, Kelp’s bridge contract on mainnet trusted it 100% and released 116,500 rsETH straight to the attacker’s wallet
• The money was draine. No real tokens came in from another chain, the attacker just got brand-new unbacked rsETH worth ~$290–293 million. Literally magic internet money
• They then tried to use it as collateral on lending platforms like Aave to borrow even more real ETH
https://defiprime.com/kelpdao-rseth-exploit
Steps of the attack:
• rsETH (Kelp's liquid restaking token) can move between chains using LayerZero's messaging system. Kelp configured it so that only ONE "Decentralized Verifier Network" (DVN) which is by LayerZero Labs was needed to approve any transfer message
• Since it was a single point of trust, attackers gained control of the verification key/node tied to Kelp's own deployed contract on the source chain
• The sent a "fake" transfer message that claimed: "116,500 rsETH is being sent from another chain to Ethereum mainnet." (In reality, no rsETH was ever deposited or burned on the source chain)
• The attacker called a function called to trigger the release directly, because the single DVN "approved" the message, Kelp’s bridge contract on mainnet trusted it 100% and released 116,500 rsETH straight to the attacker’s wallet
• The money was draine. No real tokens came in from another chain, the attacker just got brand-new unbacked rsETH worth ~$290–293 million. Literally magic internet money
• They then tried to use it as collateral on lending platforms like Aave to borrow even more real ETH
https://defiprime.com/kelpdao-rseth-exploit
Defiprime
The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge
A single-signer DVN on KelpDAO's LayerZero bridge let an attacker mint 116,500 unbacked rsETH and walk out with ~$236M in WETH from Aave. Here's the full on-chain breakdown, who pays, and what it says about liquid restaking.
❤4
The Guardian froze rsETH and wrsETH markets across all deployments where the asset is listed
https://governance.aave.com/t/rseth-incident-2026-04-18/24481/4
https://governance.aave.com/t/rseth-incident-2026-04-18/24481/4
❤2
🚨 BREAKING: $795 million total hacked in DeFi in 2026 alone - and it’s only mid-April
https://x.com/mementoresearch/status/2045724551175454723?s=20
https://x.com/mementoresearch/status/2045724551175454723?s=20
X (formerly Twitter)
Memento Research (@mementoresearch) on X
🚨 BREAKING: $795 million total hacked in DeFi in 2026 alone - and it’s only mid-April.
DeFi has an on-going security nightmare:
• January → ~$86m lost to smart contract bugs and executive key compromises
• February → ~$27m attacks on bridges and oracles…
DeFi has an on-going security nightmare:
• January → ~$86m lost to smart contract bugs and executive key compromises
• February → ~$27m attacks on bridges and oracles…
😱12
Meet the beta Starbucks app in ChatGPT: A new way to discover your next favorite drink
What are we doing?
https://about.starbucks.com/stories/2026/meet-the-beta-starbucks-app-in-chatgpt-a-new-way-to-discover-your-next-favorite-drink/
Starbucks is fully embracing AI, launching a beta app in ChatGPT this week that lets a chatbot choose your latte or refresher.
Users on ChatGPT can access the app by starting a prompt with "@Starbucks." They can then describe the mood they're in or want to be in — energetic, cozy, etc. — or simply ask the AI to pick something that matches their tastes, like non-dairy drinks or less caffeinated beverages.
What are we doing?
https://about.starbucks.com/stories/2026/meet-the-beta-starbucks-app-in-chatgpt-a-new-way-to-discover-your-next-favorite-drink/
🤣6
Vercel announced a security incident involving unauthorized access to certain internal systems, affecting a subset of customers
Vercel is used for:
• Deploying websites and web apps from Git
• Frontend and full-stack JavaScript/TypeScript apps
• AI-powered applications and agents
https://vercel.com/kb/bulletin/vercel-april-2026-security-incident
Please open Telegram to view this post
VIEW IN TELEGRAM
Vercel
Vercel April 2026 security incident | Vercel Knowledge Base
We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems.
Ahboyash Reads
Vercel hackers selling internal DB + employee accounts + GitHub/NPM tokens for $2m on BreachForums
https://x.com/DiffeKey/status/2045813085408051670?s=20
https://x.com/DiffeKey/status/2045813085408051670?s=20
🔥3
Scoop: NSA using Anthropic's Mythos despite blacklist
https://www.axios.com/2026/04/19/nsa-anthropic-mythos-pentagon
The National Security Agency is using Anthropic's most powerful model yet, Mythos Preview, despite top officials at the Department of Defense — which oversees the NSA — insisting the company is a "supply chain risk"
https://www.axios.com/2026/04/19/nsa-anthropic-mythos-pentagon
Axios
Scoop: NSA using Anthropic's Mythos despite Defense Department blacklist
The government's cybersecurity needs are outweighing the Pentagon's feud with Anthropic.