A case study in using AI to unpack a fast-moving DeFi incident — and a rare exploit where the code worked exactly as designed.
On Saturday, April 18, 2026, an attacker walked off with 116,500 rsETH — roughly $292 million, or about 18% of the token’s circulating supply. It is, as of this writing, the largest DeFi exploit of the year, edging out the Drift Protocol drain from just 17 days earlier. Both have been attributed to North Korea’s Lazarus Group.
What makes this one worth dissecting is how it happened. No reentrancy bug. No signature malleability. No oracle manipulation. The smart contracts — KelpDAO’s, LayerZero’s, Aave’s — all behaved exactly as written.
This article is also a demonstration of how modern AI tools collapse the time it takes to go from “something happened” to “I understand what happened.” What used to be a weekend of reading post-mortems can now be a 30-minute investigation.
North Korean hackers exploited rsETH, a major restaking protocol, for approximately $290M through the LayerZero bridge. Around 80% of the protocol's liquidity had been deposited in fake rsETH as collateral in Aave, the largest lending protocol, borrowing real WETH/ETH and creating significant bad debt.
Aave was partially frozen for three days and still operates under restrictions. The ripple effects continue to impact the entire DeFi industry.
Arbitrum, a major L2 protocol, used an admin "root" function to partially recover the stolen funds.
Before diving into incident reports, I wanted a map. X (formerly Twitter) is where DeFi post-mortems land first, and Grok, being natively plugged into the platform, is well-suited for this kind of live-event triage.
Okay google grok, tell me what’s going on here…
The prompt:
I know KelpDAO was exploited recently. Find top tweets and tweets from official channels about this issue and describe what’s going on at the moment and the consequences for the DeFi industry. Make a report with a timeline and keep references to original tweets.