Key Takeaways
- A sophisticated bridge exploit compromised Kelp DAO’s LayerZero integration on Saturday, resulting in the theft of 116,500 rsETH valued at approximately $292 million
- The exploit manipulated LayerZero’s cross-chain communication protocol to authorize unauthorized fund withdrawals to a malicious wallet
- Approximately $250 million of the stolen assets were swapped for ETH through an address previously funded by Tornado Cash
- Nine or more DeFi protocols implemented emergency freezes on rsETH markets, including major platforms like Aave, SparkLend, and Fluid
- The incident now represents 2026’s most significant DeFi security breach, eclipsing the Drift Protocol incident from early April
A malicious actor successfully extracted 116,500 rsETH tokens from Kelp DAO’s LayerZero-integrated bridge infrastructure on Saturday evening at 17:35 UTC, absconding with cryptocurrency assets valued at approximately $292 million.
The compromised amount constitutes roughly 18% of the entire rsETH circulating supply, which currently stands at 630,000 tokens based on CoinGecko analytics.
Kelp DAO operates as a liquid restaking platform that accepts ETH deposits from users, channels them through EigenLayer for enhanced returns, and distributes rsETH tokens as tradeable proof of deposit.
The perpetrator exploited a vulnerability in LayerZero’s cross-chain communication infrastructure, deceiving the system into processing what appeared to be legitimate instructions from a connected blockchain network. This manipulation forced Kelp’s bridge contract to transfer substantial funds to a wallet under the attacker’s control.
Kelp’s emergency response multisignature wallet activated protocol-wide pauses on core smart contracts just 46 minutes following the initial breach, at 18:21 UTC. Two subsequent extraction attempts targeting an additional 40,000 rsETH tokens — representing approximately $100 million in value — were successfully prevented.
The stolen cryptocurrency was laundered through an address with documented Tornado Cash funding history. Blockchain intelligence firm Cyvers confirmed that roughly $250 million worth of the compromised rsETH had already been exchanged for ETH.
Widespread Protocol Response and Market Impact
The exploited bridge contract served as the primary reserve supporting wrapped rsETH tokens deployed across more than 20 different blockchain networks, including Base, Arbitrum, Linea, Blast, and Scroll.
With the reserve backing eliminated, rsETH holders on layer 2 networks now confront significant uncertainty regarding the full collateralization status of their holdings.
Aave implemented immediate market freezes for rsETH across both V3 and V4 deployments within hours of discovering the exploit. [[LINK_START_0]]Aave’s token[[LINK_END_0]] experienced approximately 10% depreciation as traders factored in exposure to potential uncollateralized debt positions.
SparkLend and Fluid similarly suspended all rsETH market operations. Lido Finance temporarily halted deposits into its earnETH offering, which maintains rsETH exposure, while emphasizing that its primary staking infrastructure remained unaffected.
Ethena implemented precautionary measures by suspending its LayerZero OFT bridge connections from Ethereum mainnet for approximately six hours, confirming zero rsETH portfolio exposure.
Kelp published its initial official statement at 20:10 UTC — nearly three hours following the security breach. The protocol confirmed active collaboration with LayerZero, Unichain, contracted auditing firms, and external security specialists.
Escalating DeFi Security Concerns in 2026
Cyvers CEO Deddy Lavid characterized the incident as highlighting fundamental vulnerabilities inherent in DeFi composability, where protocols maintain extensive interconnected dependencies.
[[LINK_START_1]]The Drift Protocol[[LINK_END_1]], operating on Solana, suffered approximately $285 million in losses on April 1 through an attack attributed to North Korean-affiliated threat actors.
Additional platforms including CoW Swap, Zerion, Rhea Finance, and Silo Finance have experienced security compromises throughout recent weeks.
Cumulative cryptocurrency losses from exploits and fraudulent schemes reached approximately $482 million during Q1 2026, based on Cyvers research.
The Kelp DAO security breach currently holds the position as 2026’s most financially significant DeFi exploitation event, marginally exceeding the Drift incident by several million dollars.
Kelp has not publicly revealed technical details regarding how the attacker circumvented the bridge’s validation mechanisms as of this publication.
