2026's biggest crypto exploit: Kelp DAO hit for $292 million with wrapped ether stranded across 20 chains
An attacker drained 116,500 rsETH, roughly 18% of circulating supply, from Kelp's LayerZero-powered bridge on Saturday, triggering emergency freezes across Aave, SparkLend, Fluid and Upshift.
By Shaurya MalwaUpdated Apr 18, 2026, 8:59 p.m. Published Apr 18, 2026, 8:53 p.m. Make preferred on
What to know:
- An attacker exploited Kelp DAO's LayerZero-powered bridge to drain 116,500 rsETH—about $292 million and roughly 18 percent of the token's circulating supply—triggering an emergency pause of core contracts.
- Because the bridge held reserves backing rsETH on more than 20 networks, the loss has raised doubts about the backing of rsETH on layer 2s and sparked a wave of market freezes by protocols including Aave, SparkLend and Fluid.
- The exploit, now the largest DeFi hack of 2026, comes amid a broader surge in DeFi attacks and has put rsETH's peg and Kelp DAO's ability to meet redemptions under intense pressure.
A cross-chain bridge holding nearly a fifth of a restaked ether token's circulating supply just got drained, and the fallout is moving through DeFi faster than Kelp DAO can pause contracts.
An attacker drained 116,500 rsETH (restaked ether) from Kelp DAO's LayerZero-powered bridge at 17:35 UTC on Saturday, worth roughly $292 million at current prices and representing about 18% of rsETH's 630,000 token circulating supply tracked by CoinGecko.
LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquid restaking protocol, which takes user-deposited ETH, routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradeable receipt.
The bridge that was drained held the rsETH reserve backing wrapped versions of the token deployed on more than 20 other blockchains.
The attacker tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp's bridge to release 116,500 rsETH to an attacker-controlled address.
Kelp's emergency pauser multisig froze the protocol's core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million.
rsETH is deployed across more than 20 networks including Base, Arbitrum, Linea, Blast, Mantle and Scroll, with LayerZero's OFT standard handling the cross-chain movement.
The rsETH held in the bridge was the reserve backing wrapped versions on every layer 2 blockchain, or networks that run atop Ethereum.
With that reserve drained, holders on non-Ethereum deployments now face the question of whether their tokens have anything underneath them, which creates a feedback loop where panic redemptions on L2s pressure the unaffected Ethereum supply, potentially forcing Kelp to unwind restaking positions to honor withdrawals.
The contagion list is long and still growing.
Aave froze rsETH markets on V3 and V4 within hours, with founder Stani Kulechov affirming the exploit was external and Aave's contracts were not compromised. SparkLend and Fluid froze their rsETH markets.
AAVE fell about 10% as the market priced potential bad debt.
Kelp, a product under the KernelDAO umbrella, acknowledged the incident in its first public X post at 20:10 UTC, nearly three hours after the drain. The protocol said it was investigating with LayerZero, Unichain, its auditors and outside security specialists. It has not disclosed how the exploit bypassed the bridge's validation logic.
Whether rsETH holds peg through the weekend depends on how much of the cross-chain float tries to redeem into ETH on Ethereum and whether Kelp can recover any portion of the stolen funds before the Tornado Cash trail goes cold.
The hack lands in an unusually hostile stretch for DeFi. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.
Kelp's $292 million loss is now the largest DeFi exploit of 2026, overtaking Drift by a few million dollars.
More For You
Bitcoin 'plebs eat first' mining pool Parasite finds its second BTC block
By Shaurya Malwa7 hours ago
Parasite Pool, which pays 1 BTC to the block finder and splits the rest among all participants, mined block 945,601 on Friday, about 48 days after its first.
What to know:
- Parasite Pool, a home-miner-focused bitcoin mining pool using a novel hybrid payout model, has mined its second block, #945,601, about 48 days after its first.
- The pool pays 1 bitcoin directly to the block finder and distributes the remaining 2.125 bitcoin plus fees proportionally among all participants, with no pool...
Why Michael Saylor's Strategy decided to make STRC's dividend bi-monthly
33 minutes ago
From smelters to servers: Alcoa to cash in on crypto’s thirst for energy
39 minutes ago
AI is increasingly eating into VC fundings and here is how crypto firms are adapting
1 hour ago
Binance and Bitget to probe RAVE’s 4,500% token surge as claims of insider-orchestrated rally grow
4 hours ago
The Lightning Network isn’t ‘helplessly broken’
4 hours ago
Zondacrypto under fire as Poland's prime minister links exchange to legislative interference
7 hours agoTop Stories
Bitcoin falls back to $76,000 as Iran shuts Hormuz again
15 hours ago
How a quantum computer can be used to actually steal your bitcoin in '9 minutes'
17 hours ago
Strategy proposes semi-monthly dividends on its popular STRC preferred stock
Apr 17, 2026
Sam Altman’s World project launches major upgrade to fight deepfakes and bots
Apr 17, 2026
Ethereum co-founder Joseph Lubin warns of the dangers of AI being controlled by a few big tech firms
8 hours ago
