CoinGecko pointed out that a major DeFi security lapse in cross-chain infrastructure has left billions in crypto assets exposed. According to the latest analysis from CoinGecko, the wake-up call stems from the $292 million hack of Kelp DAO on April 18, 2026—the largest DeFi exploit of the year so far. Researchers warn that nearly half of all active LayerZero-powered applications remain vulnerable to the same attack vector, putting more than $4.5 billion in market value at immediate risk.
CoinGecko also pointed out that Kelp DAO’s liquid restaking token, rsETH, became the target when an unidentified attacker—reportedly linked to the DPRK-affiliated Trader Traitor group—exploited a single misconfigured security setting in its LayerZero bridge.
By minting 116,500 unbacked rsETH tokens, the attacker used the fake collateral to borrow roughly $230 million in assets on the Aave lending platform, ultimately saddling the protocol with bad debt.
The breach succeeded because Kelp DAO had configured its Decentralized Verifier Network (DVN) as a 1-of-1 setup, relying on just one signer for cross-chain message approval.
LayerZero’s DVN system lets developers choose how many independent verifiers must sign off on messages before they execute on the destination chain. A 2-of-2 configuration—widely viewed as the minimum secure standard—requires agreement from two separate signers.
In contrast, a 1-of-1 setup creates a single point of failure: if that lone verifier is compromised through key leakage, social engineering, or infrastructure attacks, forged messages can mint tokens, drain bridges, or trigger unauthorized actions without any backup check.
CoinGecko’s review of Dune Analytics data covering approximately 2,665 LayerZero OApp contracts over the prior 90 days found that 47 percent still operate under this risky 1-of-1 model.
The firm’s snapshot on April 22, 2026, identified the top ten at-risk assets by market capitalization.
Dominating the list is Tether’s omnichain USDT0 stablecoin, with $4.065 billion in circulating supply—accounting for over 87 percent of the exposed value among the top ten.
While most USDT0 deployments use safer 2-of-2 settings, its contracts on Ethereum, Optimism, and Base remain on 1-of-1, raising fears of unbacked minting that could cascade into lending markets across chains.
Pendle Finance’s PENDLE token ranks second at roughly $229 million, followed by smaller projects like Aethir (ATH), Zama (ZAMA), and Vana (VANA).
Notably, many governance tokens lower on the list are unlikely to serve as high-quality collateral on lending platforms, reducing—but not eliminating—their appeal to attackers compared with stablecoins or widely accepted assets like rsETH.
LayerZero maintains it has long urged projects to adopt at least 2-of-2 configurations.
Kelp DAO countered that the 1-of-1 option was the default for new OFT deployments.
Regardless of the blame, the ecosystem reacted swiftly: protocols paused markets, froze collateral, and reviewed settings. USDT0 halted its bridging the next day, and several teams announced upgrades, including wBTC’s planned shift by April 26.
The incident underscores a broader truth: while smart-contract bugs demand costly redeployments, DVN misconfigurations can be fixed with a simple parameter change. CoinGecko added that the Kelp DAO hack serves as a solvable lesson.
With industry response underway, the $4.5 billion exposure may shrink quickly—but only if projects act before the next attacker strikes. CoinGecko concluded that as DeFi gains more users, properly secure defaults and proactive audits are no longer optional; they are essential for protecting user funds in an interconnected and increasingly digital ecosystem.