An attacker drained 116,500 rsETH from Kelp DAO's LayerZero bridge in the largest DeFi exploit of 2026, triggering emergency freezes across Aave, SparkLend, and Fluid.
Kelp DAO lost $292 million in rsETH after an attacker exploited a vulnerability in the protocol's LayerZero-powered cross-chain bridge, making it the largest DeFi exploit of 2026.
On April 18, an attacker manipulated LayerZero's cross-chain messaging layer to trick Kelp DAO's bridge into releasing 116,500 rsETH, roughly 18% of the token's circulating supply. The drain occurred at 17:35 UTC through a call to the lzReceive function on LayerZero's EndpointV2 contract, which triggered the bridge to release funds to an attacker-controlled address.
Kelp's emergency pauser multisig froze the protocol's core contracts 46 minutes later at 18:21 UTC. Two follow-up attempts at 18:26 and 18:28 UTC, each carrying LayerZero packets for another 40,000 rsETH worth roughly $100 million, were blocked by the freeze. The attacker used Tornado Cash to fund the initial wallet and later collateralized the stolen rsETH on Aave V3 to borrow ETH and WETH before routing the proceeds through Tornado Cash again.
The exploit is the largest DeFi security incident this year, surpassing the Drift protocol hack by several million dollars. More critically, the drain affected rsETH reserves backing the token across more than 20 networks, raising questions about the solvency of rsETH on layer 2 chains.
Aave, SparkLend, Fluid, and Upshift all froze rsETH-related markets within hours as a precaution. AAVE token price dropped roughly 10% in the aftermath. The incident adds fresh pressure to the cross-chain bridge security debate, which has been a recurring weak point for DeFi since the Wormhole and Ronin exploits of prior years. On-chain investigator ZachXBT flagged the exploit early and traced the attacker's movements across Ethereum DeFi lending markets.
Kelp DAO has not yet issued a post-mortem or disclosed whether a recovery plan is in progress. The key questions now are whether the protocol can negotiate a return of funds (as some exploiters have done in the past), and how Aave and other lending protocols will handle the potential bad debt created by the attacker's borrowing positions. LayerZero's security model is also under scrutiny, as the attack exploited the messaging layer rather than Kelp's own smart contracts.
This is a developing story. The $292 million Kelp DAO exploit highlights persistent risks in cross-chain bridge infrastructure, even as the broader DeFi ecosystem continues to grow. Affected users should monitor official Kelp DAO channels for updates on fund recovery efforts.
Disclaimer: News content is for informational purposes only and should not be considered financial advice. Market conditions can change rapidly. Always conduct your own research.
