TLDR
- A LayerZero bridge vulnerability enabled hackers to extract 116,500 rsETH tokens valued at approximately $292 million from Kelp DAO on Saturday
- The breach exploited LayerZero’s cross-chain messaging protocol to authorize unauthorized fund transfers to a wallet controlled by the attacker
- Approximately $250 million in stolen assets were swapped for ETH using an address previously funded through Tornado Cash
- Nine or more DeFi platforms implemented emergency freezes on rsETH trading, including major protocols Aave, SparkLend, and Fluid
- The breach now ranks as 2026’s most significant DeFi security incident, exceeding the April 1 Drift Protocol attack
Hackers successfully extracted 116,500 rsETH tokens from Kelp DAO’s LayerZero-integrated bridge on Saturday evening at 17:35 UTC, stealing cryptocurrency assets worth approximately $292 million.
The breach impacted roughly 18% of rsETH’s entire circulating token supply, which currently stands at 630,000 tokens based on CoinGecko data.
Kelp DAO operates as a liquid restaking platform that accepts ETH deposits from users, channels them through EigenLayer for enhanced returns, and distributes rsETH tokens as tradeable proof of stake.
The perpetrators exploited a vulnerability in LayerZero’s cross-chain communication infrastructure, fooling the system into recognizing fraudulent authorization from another blockchain network. This manipulation forced Kelp’s bridge smart contracts to transfer the assets to a wallet under the attacker’s control.
Kelp’s emergency response team activated pause mechanisms on the protocol’s primary smart contracts exactly 46 minutes following the initial breach, at 18:21 UTC. Two subsequent attempts targeting an additional 40,000 rsETH tokens — representing roughly $100 million — were successfully prevented.
The compromised funds were routed through a wallet address with prior Tornado Cash funding. Blockchain security company Cyvers confirmed that approximately $250 million worth of the stolen rsETH had been exchanged for ETH.
Fallout Spreads Across DeFi
The compromised bridge contract served as the backing reserve for wrapped rsETH tokens distributed across over 20 different blockchain networks, including Base, Arbitrum, Linea, Blast, and Scroll.
With the reserve depleted, users holding rsETH on layer 2 platforms now confront questions regarding whether their tokens maintain full collateralization.
Aave implemented immediate freezes on rsETH markets across both V3 and V4 platforms within hours of discovering the exploit. Aave’s token experienced approximately 10% depreciation as markets adjusted for potential uncollateralized debt exposure.
Both SparkLend and Fluid enacted similar rsETH market suspensions. Lido Finance temporarily halted deposits into its earnETH offering, which maintains rsETH positions, though the organization emphasized its primary staking infrastructure remained unaffected.
Ethena suspended its LayerZero OFT bridges from Ethereum mainnet for roughly six hours as a protective measure, confirming zero rsETH holdings.
Kelp issued its initial public statement at 20:10 UTC — approximately three hours following the attack’s commencement. The protocol confirmed active collaboration with LayerZero, Unichain, security auditors, and independent cybersecurity experts.
A Rough Stretch for DeFi in 2026
Cyvers CEO Deddy Lavid highlighted the incident as evidence of inherent vulnerabilities in DeFi’s composable architecture, where platforms maintain extensive interconnections.
The Drift Protocol, operating on Solana, experienced a drainage of approximately $285 million on April 1 through an assault attributed to North Korean cybercrime organizations.
Additional platforms including CoW Swap, Zerion, Rhea Finance, and Silo Finance have suffered security breaches throughout recent weeks.
Combined cryptocurrency losses from exploits and fraudulent schemes totaled approximately $482 million during Q1 2026, based on Cyvers reporting.
The Kelp DAO security breach currently represents 2026’s most substantial DeFi attack, exceeding the Drift incident by several million dollars.
Kelp has not publicly revealed technical details regarding how attackers circumvented the bridge’s validation mechanisms as of publication time.
