Kelp DAO, a liquid restaking protocol tied to the EigenLayer ecosystem, was hit by a major exploit on April 18, 2026, after around $292 million in rsETH were drained through its cross-chain bridge.
The incident quickly spread beyond the protocol itself, as the attacker moved the stolen assets into major DeFi lending platforms and borrowed large amounts of ETH.
An early alert from ZachXBT helped surface the attack within minutes, while Kelp DAO acknowledged the incident over an hour later through an X post, saying that it had paused rsETH contracts across mainnet and several Layer-2 chains. According to the message, the protocol is “working with LayerZero, Unichain, their auditors, and top security experts on RCA.”
According to Cyvers, the attacker was just minutes away from triggering a second exploit attack that could have drained another $100 million. A rapid blacklist response blocked the attempt shortly before execution, limiting further losses.
The exploit did not rely on a traditional smart contract bug, but instead abused the way cross-chain messages were verified.
The attack began when the attacker created a forged cross-chain message through infrastructure connected to LayerZero Labs. Kelp DAO uses LayerZero’s Omnichain Fungible Token system to move rsETH across multiple blockchains, relying on off-chain verification before releasing funds.
According to early findings shared by DeFi expert Steven Enamakel and Defiprime, the system accepted a message that appeared valid, even though no actual deposit or burn event had occurred on the source chain. That allowed the attacker to unlock or mint a large amount of rsETH without backing it with real ETH.
On-chain data shows that about 116,500 rsETH was drained in a single sequence, representing a large share of the circulating supply. The issue appears linked to the Decentralized Verifier Network configuration, which is responsible for confirming cross-chain messages. Early findings suggest the verification layer may have been misconfigured or weakened, allowing a malicious message to pass as legitimate. This means the failure likely happened outside the core smart contracts, in how the system trusted external validation.
Shortly after obtaining the rsETH, the attacker sent the tokens to the Aave lending protocol. The platform accepted rsETH as collateral, treating it as a liquid restaking asset backed by ETH. Using that collateral, the attacker borrowed large amounts of ETH and wrapped ETH, as Aave’s CEO explained. The lending protocol ended up holding collateral that was not actually backed by real assets.
On-chain activity shows that the attacker prepared the operation in advance, funding wallets through mixing services before executing the exploit. The speed of the second phase suggests a clear plan to convert the initial gain into harder-to-recover assets. By the time protocols reacted, a large portion of the borrowed ETH had already moved.
This chain of events exposed how quickly risk can spread when one asset is widely used across DeFi. What started as a bridge failure became a multi-protocol issue within minutes.
Kelp DAO paused its contracts less than an hour after the exploit began, preventing additional outflows and blocking further use of the bridge. The team said it was working with partners, including LayerZero and several security firms, to review what happened and prevent similar incidents. Early estimates suggest that further losses were avoided due to the quick shutdown.
Because lending markets depend on collateral value to secure loans, risk teams at Aave responded by freezing rsETH markets and restricting further borrowing. Other platforms, such as Compound and Euler Labs, took similar steps. Protocols such as Venus Protocol began checking their exposure to rsETH and adjusting risk parameters.
For now, the exploit stands as one of the largest DeFi incidents of 2026, combining a bridge failure with a fast-moving lending attack that spread across multiple protocols within a short time.
0 Comments
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA. We will keep you Show more
