Key Takeaways
- A sophisticated exploit targeting Kelp DAO’s LayerZero bridge resulted in the theft of 116,500 rsETH, valued at approximately $292 million
- The hacker manipulated LayerZero’s cross-chain messaging protocol to authorize fraudulent fund transfers
- Approximately $250 million of the stolen assets were swapped into ETH using an address funded through Tornado Cash
- Nine or more DeFi protocols implemented emergency freezes on rsETH markets, including major platforms like Aave, SparkLend, and Fluid
- The exploit has become 2026’s most significant DeFi security breach, exceeding the Drift Protocol incident from early April
A malicious actor successfully extracted 116,500 rsETH tokens from Kelp DAO’s LayerZero-integrated bridge infrastructure on Saturday evening at 17:35 UTC, stealing cryptocurrency worth approximately $292 million.
The compromised quantity accounts for roughly 18% of rsETH’s entire token circulation of 630,000, based on analytics from CoinGecko.
Kelp DAO operates as a liquid restaking infrastructure that accepts ETH deposits from users, channels them through EigenLayer for enhanced returns, and distributes rsETH as a liquid representation of the staked position.
The perpetrator exploited a vulnerability in LayerZero’s cross-chain communication infrastructure, deceiving the system into processing what appeared to be legitimate cross-chain instructions. This manipulation forced Kelp’s bridge contract to transfer the substantial holdings to a wallet under the attacker’s control.
Kelp’s emergency response team activated pause functions on the protocol’s primary smart contracts just 46 minutes following the initial breach, at 18:21 UTC. Two subsequent exploitation attempts targeting an additional 40,000 rsETH — representing roughly $100 million — were successfully prevented.
The compromised assets were channeled through a wallet previously funded via Tornado Cash. Blockchain security analyst Cyvers confirmed that approximately $250 million of the stolen rsETH tokens had been exchanged for ETH.
DeFi Ecosystem Reacts to Security Breach
The compromised bridge served as the backing reserve for wrapped rsETH deployed across more than 20 different blockchain networks, including Base, Arbitrum, Linea, Blast, and Scroll.
With the reserve depleted, users holding rsETH on various layer 2 networks now confront questions regarding the actual collateralization of their token holdings.
Aave implemented emergency freezes on rsETH lending markets across both V3 and V4 deployments within hours of detecting the exploit. [[LINK_START_0]]Aave’s token[[LINK_END_0]] experienced approximately 10% depreciation as traders factored in potential bad debt exposure.
Both SparkLend and Fluid enacted similar market freezes for their rsETH pools. Lido Finance temporarily suspended deposits into its earnETH offering, which maintains rsETH exposure, while emphasizing that its primary staking infrastructure remained unaffected.
Ethena took precautionary measures by pausing its LayerZero OFT bridge connections from Ethereum mainnet for approximately six hours, confirming it held no rsETH positions.
Kelp issued its initial public statement at 20:10 UTC — nearly three hours following the attack’s commencement. The team indicated active collaboration with LayerZero, Unichain, their security auditors, and external cybersecurity consultants.
2026 Proves Challenging Year for DeFi Security
Cyvers CEO Deddy Lavid characterized the incident as highlighting the inherent vulnerabilities within DeFi’s highly interconnected ecosystem.
[[LINK_START_1]]The Drift Protocol[[LINK_END_1]], operating on Solana, suffered a loss of approximately $285 million on April 1 through an attack attributed to North Korean threat actors.
Additional platforms including CoW Swap, Zerion, Rhea Finance, and Silo Finance have experienced security compromises throughout recent weeks.
Aggregate cryptocurrency losses attributed to exploits and fraudulent schemes totaled approximately $482 million during Q1 2026, per Cyvers’ analysis.
The Kelp DAO security breach now represents 2026’s most substantial DeFi exploit, marginally exceeding the Drift incident in dollar value.
As of publication, Kelp has not provided technical details explaining how the attacker circumvented the bridge’s validation mechanisms.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
