Kelp DAO loses $292 million as rsETH is drained across 20 networks

An attacker drained 116,500 rsETH from Kelp DAO’s LayerZero-powered bridge on Saturday, triggering an emergency pause of core contracts and setting off market freezes across multiple DeFi protocols. The theft—worth about $292 million at current prices—represents roughly 18% of rsETH’s 630,000 token circulating supply tracked by CoinGecko.

Bridge drained; emergency pause follows

The drain occurred at 17:35 UTC. The bridge held rsETH reserves backing wrapped versions of the token deployed on more than 20 networks. By exploiting LayerZero’s cross-chain messaging, the attacker caused the system to treat an instruction as valid from another network, prompting Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.

Kelp’s emergency pauser multisig froze the protocol’s core contracts at 18:21 UTC, 46 minutes after the successful drain. Two subsequent attempts at 18:26 UTC and 18:28 UTC both reverted, each attempting to drain an additional 40,000 rsETH (about $100 million per attempt).

What rsETH is and where it is deployed

rsETH is issued by Kelp DAO, a liquid restaking protocol. Users deposit ETH, which is routed through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and Kelp issues rsETH as a tradeable receipt.

rsETH is deployed across more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle, and Scroll. LayerZero’s OFT standard handles cross-chain movement, and the bridge’s reserves were intended to back wrapped rsETH versions on non-Ethereum deployments.

Contagion across DeFi markets

With the bridge reserve drained, holders on non-Ethereum deployments face uncertainty about whether their tokens are fully backed. That uncertainty can drive panic redemptions on L2s, which in turn can increase pressure on the Ethereum-side supply and potentially force Kelp to unwind restaking positions to meet withdrawals.

The freeze response spread quickly:

• Aave froze rsETH markets on V3 and V4 within hours. Founder Stani Kulechov said the exploit was external and that Aave’s contracts were not compromised.
• SparkLend and Fluid also froze their rsETH markets.

Market and protocol actions

• AAVE fell by about 10% as the market priced in potential bad debt.
• Lido Finance paused further deposits into its earnETH product, which carries rsETH exposure. Lido said stETH and wstETH are unaffected and that the core Lido staking protocol has no involvement in the incident.
• Ethena temporarily paused its LayerZero OFT bridges from Ethereum mainnet as a precaution. Ethena said it has no rsETH exposure and remains more than 101% overcollateralized, adding that the pause would last roughly six hours while the root cause is identified.

Timeline and disclosure

Kelp, a product under the KernelDAO umbrella, acknowledged the incident in its first public X post at 20:10 UTC—nearly three hours after the drain. The protocol said it was investigating with LayerZero, Unichain, its auditors, and outside security specialists, but it has not disclosed how the exploit bypassed the bridge’s validation logic.

Broader context and what to watch

The hack arrives during a period of heightened DeFi attacks. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance, and Silo Finance.

For rsETH’s peg through the weekend, the outcome depends on how much of the cross-chain float attempts to redeem into ETH on Ethereum and whether Kelp can recover any portion of the stolen funds before the trail goes cold.

With a $292 million loss, the incident is now the largest DeFi exploit of 2026, overtaking Drift by a few million dollars.