In a stark reminder of the persistent vulnerabilities within decentralized finance, Kelp DAO, a prominent liquid restaking protocol, has fallen victim to a massive exploit, resulting in the loss of 116,500 rsETH tokens, valued at approximately $292 million. This incident, which occurred on Saturday, represents roughly 18% of rsETH's circulating supply and has sent ripples of concern throughout the broader crypto market.
The Exploit: LayerZero Bridge Compromised
The attacker targeted Kelp DAO's LayerZero-powered bridge, an infrastructure critical for facilitating cross-chain movement of rsETH. LayerZero, designed as a cross-chain messaging layer, enables different blockchains to communicate and verify instructions. In this instance, the perpetrator managed to trick LayerZero into validating a fraudulent instruction, prompting Kelp's bridge to release the substantial amount of rsETH to an attacker-controlled address.
Kelp DAO's emergency pauser multisig acted swiftly, freezing core contracts within 46 minutes of the drain. Subsequent attempts by the attacker to drain an additional 40,000 rsETH were successfully thwarted. Kelp DAO, a product under Kerne, allows users to deposit ETH, which is then routed through EigenLayer to earn additional yield, with rsETH issued as a tradeable receipt.
Contagion Spreads Across DeFi
The fallout from the exploit was immediate and widespread. Given that the drained bridge held the primary reserve backing wrapped versions of rsETH deployed across more than 20 networks—including Base, Arbitrum, Linea, Blast, Mantle, and Scroll—the integrity of rsETH on these layer 2 solutions is now under intense scrutiny. Holders on non-Ethereum deployments face uncertainty regarding the underlying value of their tokens, potentially triggering a wave of panic redemptions that could further strain Kelp DAO's ability to meet withdrawals.
Major DeFi protocols quickly moved to mitigate their exposure:
- Aave froze rsETH markets on both V3 and V4 within hours. Founder Stani Kulechov confirmed that Aave's contracts were not compromised, attributing the exploit to an external vulnerability.
- SparkLend and Fluid followed suit, freezing their respective rsETH markets.
- Lido Finance temporarily paused further deposits into its earnETH product, which has rsETH exposure, while clarifying that its core staking protocol and stETH/wstETH tokens remain unaffected.
- Ethena, as a precautionary measure, paused its LayerZero OFT bridges from the Ethereum mainnet. The stablecoin issuer stated it has no direct rsETH exposure and remains overcollateralized, with the pause expected to last approximately six hours while the root cause is investigated.
The market reacted sharply, with AAVE's token price experiencing a roughly 10% drop as traders priced in potential bad debt scenarios.
Implications for Restaking and Cross-Chain Security
This incident marks the largest DeFi hack of 2026 so far, underscoring the escalating risks associated with cross-chain bridges and liquid restaking protocols. The exploit places immense pressure on rsETH's peg and Kelp DAO's capacity to honor redemptions, potentially forcing the protocol to unwind its restaking positions. For the wider DeFi community, it highlights the critical need for robust security audits, rapid response mechanisms, and a deeper understanding of the interconnected risks inherent in multi-chain environments. The incident serves as a stark reminder that even innovative solutions like liquid restaking and cross-chain messaging layers carry significant, evolving security challenges.