Futures
Access hundreds of perpetual contracts
TradFi
Gold
One platform for global traditional assets
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Demo Trading
Introduction to Futures Trading
Learn the basics of futures trading
Futures Events
Join events to earn rewards
Demo Trading
Use virtual funds to practice risk-free trading
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Pre-IPOs
Unlock full access to global stock IPOs
Alpha Points
Trade on-chain assets and earn airdrops
Futures Points
Earn futures points and claim airdrop rewards
#KelpDAOBridgeHacked
#Gate13thAnniversaryLive
KelpDAO's ZRO-backed bridge was hacked on April 18, 2026, resulting in the theft of approximately $292–294 million worth of coins across more than 20 chains; this became the largest DeFi attack of 2026. The attack, using a single compromised ZRO validator, caused immediate freezes on Aave, Arbitrum, and other protocols.
Basic Information
Attack date: April 18, 2026, ~17:35 UTC
Funds stolen: ~116,500 coins (~$292–294 million), ~18% of circulating supply
Attack vector: Fake ZRO cross-chain message via compromised 1-to-1 Decentralized Validator Network (DVN) setup
Affected protocols: Aave, SparkLend, Fluid, Arbitrum, Lido, Ethena, Compound, Euler
Immediate consequences:
Aave froze V3 and V4 and faced a risk of ~$177–196 million in bad debt.
Arbitrum froze 30,766 ETH (~$100 million) linked to the hacker's wallet.
ZRO dropped more than 22% in 24 hours.
The AAVE token price dropped by approximately 20% to $92.06.
Market Impact
Ethereum (ETH): The price dropped to $2,300 immediately after the attack and was fully priced in by prediction markets.
Bitcoin (BTC): Risk aversion increased the probability of prediction contracts for BTC reaching $60,000 by the end of April to 22%.
DeFi Liquidity: Approximately $9 billion was withdrawn from Aave in a panic; this points to a systemic fear regarding bridge collateral security.
Accountability and Attribution
Suspected attacker: The North Korean Lazarus Group, which used sophisticated forgery techniques.
KelpDAO's stance: Blames ZRO's infrastructure, specifically the compromised RPC nodes and insecure 1-to-1 DVN setup. Kelp insists that its own contracts were not directly exploited.
ZRO's response: Acknowledging flaws in the validator setup, actively working on corrective actions with KelpDAO.
Measures and Next Steps
Emergency freezes: KelpDAO halted stolen coin transfers between Ethereum and L2s within 46 minutes.
Blocked wallets: KelpDAO has blacklisted the abusive addresses and implemented SEAL 911, a hotline for security threats.
Governance action: Arbitrum DAO will vote on the fate of $100 million worth of frozen ETH.
Future fixes: Calls are being made for multiple validator DVN setups to prevent single points of failure in cross-chain messaging.
Risks and Lessons
Bridge vulnerabilities remain the biggest systemic risk in DeFi.
Single validator setups are unacceptable for high-value protocols; redundancy is critical.
Collateral spread: Using compromised assets as collateral (e.g., on Aave) could cause damage to spread across multiple platforms.
Community trust: KelpDAO, which had $1.57 billion in total locked value before the attack, has suffered a blow to its credibility, and recovery will depend on fixes implemented transparently.
$ZRO $AAVE $ARB