Kelp DAO rsETH Bridge Exploit: $292M Drained in DeFi's Biggest 2026 Hack

A major security breach hit Kelp DAO on Saturday when an attacker drained 116,500 rsETH tokens from its LayerZero-powered cross-chain bridge, netting approximately $292 million and claiming roughly 18% of rsETH's entire circulating supply. The incident now stands as the largest decentralized finance exploit recorded in 2026, narrowly surpassing the $285 million Drift protocol attack attributed to North Korea-linked actors earlier in April.

The attacker manipulated LayerZero's cross-chain messaging infrastructure into treating a fraudulent instruction as legitimate, causing Kelp's bridge to release the stolen tokens to an attacker-controlled wallet. The breach occurred at 17:35 UTC, while Kelp's emergency multisig only managed to freeze core contracts 46 minutes later. Two subsequent drain attempts targeting an additional $100 million were blocked after the pause took effect.

Kelp is a liquid restaking protocol under the KernelDAO umbrella. It accepts user-deposited ETH, routes it through EigenLayer for additional yield on top of standard staking rewards, and issues rsETH as a liquid, tradeable receipt token. That bridge reserve backed wrapped rsETH versions deployed across more than 20 networks, including Arbitrum, Base, Blast, Linea, Mantle, and Scroll. With the reserve emptied, cross-chain rsETH holders face serious uncertainty about what backs their tokens, creating pressure on the broader Ethereum supply as panic redemptions could force Kelp to unwind restaking positions.

Contagion spread quickly across DeFi. Aave froze rsETH lending markets on V3 and V4, sending AAVE's token down roughly 10%. SparkLend and Fluid followed with similar freezes. Lido Finance paused deposits into its rsETH-exposed earnETH product while confirming stETH and wstETH remain unaffected. Ethena temporarily halted its own LayerZero bridges as a precaution despite having zero rsETH exposure.

Kelp issued its first public acknowledgment nearly three hours after the exploit, stating it was working with LayerZero, auditors, and external security researchers to investigate. Recovery of the stolen funds remains uncertain as on-chain trails cool.