A significant security breach has sent shockwaves through the decentralized finance (DeFi) ecosystem as an attacker exploited a cross-chain bridge managed by Kelp DAO, draining approximately 116,500 rsETH (restaked ether), valued at about $292 million. This amount constitutes nearly 18% of rsETH’s circulating supply, which is currently around 630,000 tokens as tracked by CoinGecko.
Kelp DAO operates as a liquid restaking protocol, allowing users to deposit Ethereum, which is then routed through EigenLayer to maximize yields beyond conventional Ethereum staking rewards. As part of this process, the protocol issues rsETH as a tradeable receipt. The drained bridge was instrumental in maintaining reserves for wrapped versions of rsETH across over 20 blockchains.
The exploit occurred at 17:35 UTC on Saturday when the attacker managed to deceive LayerZero’s cross-chain messaging infrastructure into thinking a legitimate instruction from another network was received. This manipulation led to Kelp’s bridge releasing a substantial amount of rsETH to an address controlled by the attacker.
In response to the breach, Kelp’s emergency pauser multisig acted swiftly, freezing the protocol’s core contracts at 18:21 UTC—approximately 46 minutes after the unauthorized transaction. Attempts to halt further exploits shortly after, with attempts to retract additional 40,000 rsETH drains valued at roughly $100 million, were unsuccessful.
The incident has raised considerable concerns among holders of rsETH, especially those on non-Ethereum networks. With the bridge’s reserves drained, questions loom over the underlying value of wrapped tokens on these other blockchains. This has triggered panic among holders, leading to potential redemption rushes that could further pressure the remaining Ethereum supplies. The unfolding situation poses a risk that Kelp may be forced to liquidate restaked positions to satisfy withdrawal demands.
This breach has sparked rapid reactions across the industry. Aave promptly froze its rsETH markets on both Version 3 and Version 4, indicating that while the exploit was externally initiated, their own contracts remained secure. Other platforms, including SparkLend and Fluid, followed suit, suspending their rsETH markets to mitigate risks.
In a further precautionary measure, Lido Finance temporarily halted deposits into its earnETH product, which has exposure to rsETH, although it reassured users that stETH and wstETH remain unaffected. Ethena also paused its LayerZero OFT bridges from Ethereum mainnet due to the incident, despite asserting it had no rsETH exposure and was overcollateralized.
As the investigation unfolds, Kelp DAO has reached out to LayerZero, Unichain, auditors, and outside security experts to understand how the attack bypassed the bridge’s validation mechanisms. The future stability of rsETH is uncertain and largely hinges on two factors: the willingness of cross-chain holders to redeem their tokens for ETH and Kelp’s ability to recover stolen assets before the trail becomes too cold.
Unfortunately, this incident marks a troubling trend within the DeFi space, which has recently experienced a series of significant exploits. Just months earlier, a Solana-based perpetuals protocol lost $285 million in an attack attributed to actors affiliated with North Korea. The fallout from Kelp’s hack has now positioned it as the largest DeFi exploit of 2026, surpassing previous incidents by several million dollars, further amplifying the concerns about the security of digital assets in decentralized finance.
