Key Takeaways
- A sophisticated attack on Kelp DAO’s LayerZero bridge resulted in the theft of 116,500 rsETH tokens, valued at approximately $292 million
- The breach exploited LayerZero’s cross-chain messaging system, fooling it into authorizing unauthorized fund transfers
- Roughly $250 million worth of the pilfered assets were swapped for ETH through an address linked to Tornado Cash
- Nine or more DeFi platforms implemented emergency freezes on rsETH markets, including major protocols like Aave, SparkLend, and Fluid
- The incident has become 2026’s most significant DeFi security breach, exceeding the Drift Protocol compromise from early April
On Saturday at 17:35 UTC, a malicious actor successfully extracted 116,500 rsETH tokens from Kelp DAO’s LayerZero-integrated bridge infrastructure, absconding with cryptocurrency assets worth approximately $292 million.
The compromised amount accounts for roughly 18% of the entire rsETH token circulation, which totals 630,000 units based on CoinGecko analytics.
Kelp DAO operates as a liquid restaking solution that accepts ETH deposits from users, channels them through EigenLayer for enhanced yield generation, and distributes rsETH tokens as liquid proof of stake.
The perpetrator manipulated LayerZero’s inter-blockchain communication protocol, deceiving it into processing what appeared to be legitimate cross-chain instructions. This security lapse prompted Kelp’s bridge system to transfer the substantial sum to a wallet under the attacker’s control.
Forty-six minutes following the initial breach, at 18:21 UTC, Kelp’s emergency multi-signature wallet administrators activated protocol-wide contract pauses. Two subsequent extraction attempts targeting an additional 40,000 rsETH — approximately $100 million in value — were successfully prevented.
The illicit proceeds were routed through a wallet previously funded via Tornado Cash. Blockchain analytics provider Cyvers confirmed that approximately $250 million of the stolen rsETH had been liquidated into ETH.
Ripple Effects Throughout DeFi Ecosystem
The compromised bridge served as the reserve vault supporting wrapped rsETH across more than twenty different blockchain networks, encompassing Base, Arbitrum, Linea, Blast, and Scroll.
Following the reserve depletion, rsETH holders on layer-2 platforms now confront questions regarding the full collateralization of their holdings.
Within hours of the security incident, Aave implemented market freezes for rsETH across its V3 and V4 deployments. Aave’s token experienced approximately 10% depreciation as traders factored in exposure to potential uncollateralized debt.
SparkLend and Fluid followed suit by suspending their respective rsETH trading pairs. Lido Finance temporarily halted contributions to its earnETH offering, which maintains rsETH allocation, while emphasizing that its primary staking infrastructure remained unaffected.
Ethena implemented precautionary measures by disabling its LayerZero OFT bridge connections from Ethereum mainnet for approximately six hours, confirming zero rsETH portfolio exposure.
Kelp issued its initial public statement at 20:10 UTC — approximately three hours post-attack. The development team confirmed active collaboration with LayerZero, Unichain, security auditors, and external cybersecurity consultants.
DeFi Security Challenges Persist in 2026
Cyvers CEO Deddy Lavid characterized the breach as demonstrative of inherent vulnerabilities within DeFi’s composable architecture, where protocol interdependencies create systemic exposure.
The Drift Protocol, operating on Solana, suffered approximately $285 million in losses on April 1 through an intrusion attributed to North Korean-linked threat actors.
Additional platforms including CoW Swap, Zerion, Rhea Finance, and Silo Finance have experienced security compromises throughout recent weeks.
According to Cyvers data, combined cryptocurrency losses from exploits and fraudulent schemes reached roughly $482 million during Q1 2026.
The Kelp DAO security breach currently represents 2026’s most substantial DeFi attack, marginally exceeding the Drift incident by several million dollars.
As of publication, Kelp has not publicly revealed technical details regarding how the attacker circumvented the bridge’s security validation mechanisms.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
