In a devastating blow to the decentralized finance (DeFi) ecosystem, Kelp DAO, a prominent liquid restaking protocol, has fallen victim to a massive exploit, losing an estimated $292 million in restaked Ether (rsETH). The attack, which occurred on Saturday, April 18, 2026, has sent shockwaves through the crypto market, triggering emergency freezes across multiple lending protocols and raising critical questions about the security of cross-chain bridges and the integrity of wrapped assets.
The $292 Million Breach: How Kelp DAO’s Bridge Crumbled
An attacker successfully drained 116,500 rsETH from Kelp DAO’s LayerZero-powered bridge, representing approximately 18% of the token’s total circulating supply. This audacious exploit now stands as the largest DeFi hack of 2026, surpassing even the recent $285 million attack on Solana-based Drift protocol.
Understanding the Vulnerability
Kelp DAO operates as a liquid restaking protocol, allowing users to deposit ETH, which is then routed through EigenLayer to earn additional yield. In return, users receive rsETH, a tradeable receipt token. The core of the problem lay within Kelp’s LayerZero-powered bridge, designed to facilitate the movement of rsETH across more than 20 different blockchains, including major Layer 2 networks like Base, Arbitrum, Linea, Blast, Mantle, and Scroll.
The attacker reportedly tricked LayerZero’s cross-chain messaging layer into validating a fraudulent instruction, leading Kelp’s bridge to release the substantial sum of rsETH to an attacker-controlled address. The exploit occurred at 17:35 UTC, with Kelp DAO’s emergency pauser multisig freezing core contracts 46 minutes later at 18:21 UTC. Subsequent attempts by the attacker to drain an additional 40,000 rsETH were successfully reverted, highlighting the swift, albeit delayed, response.
Contagion Spreads: DeFi Protocols React
The immediate fallout from the Kelp DAO exploit has been widespread, impacting numerous protocols that integrated rsETH. The fact that the drained bridge held the primary reserve backing wrapped rsETH versions on various Layer 2s has ignited fears among holders about the underlying value of their tokens.
Market Freezes and Price Drops
- Aave:
Within hours, Aave froze rsETH markets on both its V3 and V4 platforms. While founder Stani Kulechov confirmed Aave’s contracts were not compromised, the market reacted sharply, with AAVE’s token price falling by approximately 10% as investors priced in potential bad debt.
- SparkLend & Fluid: These lending protocols also moved quickly to freeze their rsETH markets to prevent further exposure.
- Lido Finance: Lido, a major liquid staking provider, paused further deposits into its earnETH product, which had rsETH exposure. The protocol clarified that its core stETH and wstETH products remained unaffected, emphasizing its non-involvement in the incident.
- Ethena: As a precautionary measure, stablecoin issuer Ethena temporarily paused its LayerZero OFT bridges from the Ethereum mainnet. Ethena stated it had no rsETH exposure and maintained over 101% overcollateralization, with the pause expected to last roughly six hours for root cause identification.
The pressure on rsETH’s peg and Kelp DAO’s ability to honor redemptions is immense. The protocol, operating under the KernelDAO umbrella, acknowledged the incident nearly three hours after the drain, stating it was investigating with LayerZero, Unichain, its auditors, and external security specialists. The specific mechanism by which the exploit bypassed the bridge’s validation logic remains undisclosed.
A Troubled Landscape: DeFi’s Ongoing Security Crisis
The Kelp DAO hack underscores a particularly hostile period for decentralized finance. This incident follows a series of high-profile exploits in recent weeks, including the $285 million drain from Drift Protocol on April 1 (linked to North Korea-affiliated actors) and attacks on smaller protocols like CoW Swap, Zerion, Rhea Finance, and Silo Finance. Kelp’s $292 million loss now stands as the largest single DeFi exploit of 2026, highlighting the escalating risks in a rapidly evolving sector.
The critical question now is whether rsETH can maintain its peg and if Kelp DAO can recover any portion of the stolen funds before they disappear into the labyrinth of mixers like Tornado Cash. This event serves as a stark reminder of the persistent security challenges facing cross-chain infrastructure and the urgent need for more robust, resilient solutions to protect user assets in the DeFi space.
For more details, visit our website.
Source: Link
Leave a comment