Key Takeaways
- A sophisticated exploit targeted Kelp DAO’s LayerZero bridge infrastructure on Saturday, resulting in the theft of 116,500 rsETH valued at approximately $292 million
- The breach exploited LayerZero’s cross-chain messaging system, convincing it to authorize fund transfers to a malicious wallet
- Approximately $250 million of the compromised assets were swapped for ETH using an address previously funded through Tornado Cash
- Nine DeFi platforms implemented emergency freezes on rsETH markets, with Aave, SparkLend, and Fluid among the first responders
- The breach surpasses the April 1 Drift Protocol incident to become 2026’s most significant DeFi security breach
A malicious actor successfully extracted 116,500 rsETH tokens from Kelp DAO’s LayerZero-enabled bridge infrastructure on Saturday at 17:35 UTC, stealing cryptocurrency assets valued at approximately $292 million.
The breach affected roughly 18% of rsETH’s 630,000-token total supply currently in circulation, based on CoinGecko analytics.
Kelp DAO operates as a liquid restaking platform that accepts ETH deposits from users, channels them through EigenLayer for enhanced returns, and distributes rsETH as transferable proof-of-deposit tokens.
The perpetrator manipulated LayerZero’s cross-chain communication infrastructure, creating the false impression that legitimate transfer instructions had been transmitted from a connected blockchain network. This deception prompted Kelp’s bridge mechanism to authorize the release of funds to a wallet under the attacker’s control.
Kelp’s emergency response team activated protocol pauses across core smart contracts at 18:21 UTC, exactly 46 minutes following the initial breach. Two subsequent extraction attempts targeting an additional 40,000 rsETH — representing roughly $100 million — were successfully prevented.
The compromised assets were transferred through a wallet address with prior Tornado Cash funding connections. Blockchain security firm Cyvers confirmed that approximately $250 million worth of the stolen rsETH had been exchanged for ETH.
Ripple Effects Across Decentralized Finance Ecosystem
The compromised bridge served as the reserve backing for wrapped rsETH deployed across more than 20 blockchain networks, spanning Base, Arbitrum, Linea, Blast, and Scroll.
The depletion of these reserves has created ambiguity for rsETH holders on layer 2 platforms regarding the full collateralization status of their tokens.
Aave implemented immediate freezes on rsETH markets across both V3 and V4 versions within hours of discovering the exploit. Aave’s token declined approximately 10% as market participants factored in potential bad debt exposure.
SparkLend and Fluid executed similar market freezes for their rsETH offerings. Lido Finance suspended deposits to its earnETH product due to rsETH integration while emphasizing that its primary staking infrastructure remained unaffected.
Ethena implemented a precautionary suspension of its LayerZero OFT bridges from Ethereum mainnet lasting approximately six hours, confirming zero rsETH exposure within its systems.
Kelp released its initial public statement at 20:10 UTC — approaching three hours post-attack. The protocol confirmed active collaboration with LayerZero, Unichain, audit partners, and external security consultants.
Escalating DeFi Security Challenges in 2026
Cyvers CEO Deddy Lavid highlighted how the incident demonstrates the vulnerability inherent in DeFi’s interconnected architecture, where protocols maintain extensive interdependencies.
The Drift Protocol, operating on Solana, experienced approximately $285 million in losses on April 1 through an attack attributed to North Korean-linked threat actors.
Additional platforms including CoW Swap, Zerion, Rhea Finance, and Silo Finance have faced security breaches throughout recent weeks.
Cybers data indicates that cryptocurrency losses from hacking incidents and fraudulent schemes totaled approximately $482 million during Q1 2026.
The Kelp DAO breach currently holds the position as 2026’s most substantial DeFi security incident, exceeding the Drift compromise by several million dollars.
Kelp has yet to publish technical details explaining how the attacker circumvented the bridge’s validation mechanisms at the time of this reporting.
