A sophisticated cross-chain attack targeting Kelp DAO’s bridge infrastructure has resulted in the theft of 116,500 rsETH tokens valued at approximately $292 million, marking the largest DeFi exploit of 2026 and sending shockwaves through the restaked ether ecosystem.
The breach occurred on Saturday at 17:35 UTC when an attacker successfully manipulated Kelp DAO’s LayerZero-powered bridge to release tokens worth nearly one-fifth of rsETH’s entire circulating supply. The stolen amount represents roughly 18% of the 630,000 rsETH tokens currently in circulation, according to CoinGecko data.
Cross-Chain Infrastructure Vulnerability Exploited
The attack exploited a critical weakness in the bridge’s validation system, which connected rsETH reserves on Ethereum mainnet to wrapped versions deployed across more than 20 blockchain networks. Kelp DAO operates as a liquid restaking protocol that deposits user funds into EigenLayer to generate additional yield beyond standard Ethereum staking rewards, issuing rsETH as a liquid receipt token.
The attacker manipulated LayerZero’s cross-chain messaging infrastructure to convince the bridge that a legitimate withdrawal request had originated from another network. This deception triggered the automatic release of the substantial rsETH holdings to an attacker-controlled wallet address.
Emergency response measures activated 46 minutes after the initial drain, with Kelp’s emergency pause mechanism freezing core protocol contracts at 18:21 UTC. Two subsequent attack attempts targeting an additional 40,000 rsETH worth approximately $100 million were unsuccessful and reverted on-chain.
Multi-Protocol Impact Spreads Across DeFi
The exploit’s impact extended far beyond Kelp DAO as major DeFi protocols moved swiftly to protect their platforms. Aave immediately froze rsETH markets across both V3 and V4 deployments, with founder Stani Kulechov confirming that Aave’s smart contracts remained secure and uncompromised.
SparkLend and Fluid Finance implemented similar protective freezes on their rsETH markets, while AAVE token prices dropped approximately 10% as markets factored in potential bad debt exposure. The rapid contagion highlighted the interconnected nature of modern DeFi protocols and their vulnerability to external shocks.
Lido Finance suspended deposits into its earnETH product due to rsETH exposure, though the protocol clarified that its core stETH and wstETH tokens remained unaffected. Lido’s official communication emphasized that its primary staking operations had no connection to the Kelp incident.
Reserve Backing Questions Emerge
The stolen rsETH constituted the primary reserve backing wrapped versions of the token across layer 2 networks including Base, Arbitrum, Linea, Blast, Mantle, and Scroll. With these reserves now depleted, holders of rsETH on non-Ethereum networks face uncertainty about the underlying collateral supporting their tokens.
This situation creates a dangerous feedback loop where panic redemptions on layer 2 networks could pressure the remaining rsETH supply on Ethereum mainnet. Such pressure might force Kelp DAO to unwind restaking positions prematurely to honor withdrawal requests, potentially exacerbating the crisis.
Ethena Labs implemented precautionary measures by temporarily pausing its LayerZero OFT bridges from Ethereum mainnet for approximately six hours. The protocol clarified it maintains no rsETH exposure and remains over 101% overcollateralized, demonstrating how even uninvolved protocols took defensive action.
Investigation Underway as Trail Goes Cold
Kelp DAO, operating under the KernelDAO umbrella, acknowledged the incident nearly three hours after the initial drain in their first public statement at 20:10 UTC. The protocol indicated it was collaborating with LayerZero, Unichain, security auditors, and external specialists to investigate the breach’s root cause.
The protocol has not yet disclosed specific details about how the attacker circumvented the bridge’s validation mechanisms. Recovery prospects depend partly on whether investigators can trace and potentially recover stolen funds before mixing services obscure the transaction trail.
Broader DeFi Security Concerns
This exploit occurs during a particularly challenging period for DeFi security. The Solana-based perpetuals protocol Drift suffered a $285 million drain on April 1, an attack subsequently linked to North Korea-affiliated threat actors. At least a dozen additional protocols have faced exploits in recent weeks, including CoW Swap, Zerion, Rhea Finance, and Silo Finance.
The Kelp DAO incident now claims the dubious distinction of being 2026’s largest DeFi exploit, surpassing Drift by several million dollars. The frequency and scale of recent attacks have raised fresh questions about cross-chain bridge security and the risks inherent in complex DeFi infrastructure.
Market participants are closely monitoring rsETH’s price stability over the weekend, with the token’s peg facing pressure from potential redemption waves. The incident serves as another stark reminder of the evolving security challenges facing DeFi protocols as they expand across multiple blockchain networks and integrate increasingly complex cross-chain functionality.
The coming days will prove critical for determining whether Kelp DAO can maintain user confidence and operational stability while addressing the significant shortfall in its reserve backing across multiple networks.
