Kelp DAO has suffered a major security breach resulting in the loss of 116,500 rsETH, worth about $292 million, in what is emerging as one of the largest decentralized finance hacks of the year.
How the exploit happened
According to on-chain data from April 19, the incident stemmed from a LayerZero-based cross-chain bridge. The attacker called the lzReceive function on the LayerZero EndpointV2 contract, prompting the bridge to release rsETH to a wallet under their control without proper verification.
Technical analysis indicates the bridge accepted an unverified message during the cross-chain transmission process, bypassing normal authentication checks. This message validation failure allowed the attacker to extract large amounts of rsETH undetected.
Blockchain tracing shows the wallet used in the exploit was funded via Tornado Cash roughly 10 hours before the hack. On-chain analyst ZachXBT reported that more than $280 million in rsETH was withdrawn from Ethereum and Arbitrum and then consolidated into the attacker’s address shortly before the main exploit.
Kelp DAO response and attempted damage control
Kelp DAO said it detected suspicious cross-chain activity involving rsETH and moved to suspend affected contracts on Ethereum mainnet and several Layer 2 networks.
The team halted these smart contracts 46 minutes after the first malicious transaction. That intervention blocked two further attempts by the attacker to move an additional 40,000 rsETH, which would have raised the total loss to about $391 million.
Kelp DAO has begun a technical investigation in coordination with LayerZero, Unichain, and external cybersecurity firms to identify the exact root cause and assess ongoing risks.
Aave exposure and market fallout
The exploit quickly spread impact to the lending protocol Aave.
The attacker deposited the stolen, now unbacked rsETH as collateral on Aave’s V3 market and borrowed other assets, including wrapped ether (WETH). Because the rsETH collateral is no longer properly backed, this position has created significant bad debt that cannot be cleared through normal liquidations.
In response, Aave temporarily froze rsETH markets on both its V3 and V4 deployments. The team said its own contracts were not compromised and pledged to introduce remediation measures if bad debt remains after the incident is fully contained.
Following these developments, the AAVE token price fell by about 10%, reflecting concern over potential knock-on effects across the DeFi lending ecosystem.
Scale of the loss and impact on rsETH
The stolen 116,500 rsETH represents roughly 18% of the token’s circulating supply, delivering a sharp shock to the rsETH market and to protocols that accept it as collateral.
Before the hack, Kelp DAO had more than $750 million in total value locked and was closing in on the $1 billion mark. The project had also recently raised $9 million in new funding, underscoring how quickly growth-stage DeFi platforms can be hit by security failures.
This is Kelp DAO’s second security incident in under a year. In April last year, a vulnerability led to an rsETH over-minting event, though that earlier issue did not result in losses of user funds.
Cross-chain bridges under renewed scrutiny
The breach has intensified scrutiny of cross-chain bridges, which remain a prime target for attackers. In 2025, bridge-related exploits accounted for more than $2.8 billion in losses, or about 40% of all funds stolen from Web3 platforms that year.
In this case, the core weakness again lay in message validation during the cross-chain process. The bridge trusted and executed an unauthenticated communication, demonstrating how a single validation failure can compromise high-value assets in transit.
The incident comes amid a broader rise in Web3 security incidents. Losses from hacks and scams in the first quarter of 2026 alone are estimated at roughly $482 million, a figure now set to increase sharply once the Kelp DAO exploit is fully accounted for.
Systemic risk for interconnected DeFi protocols
The Kelp DAO breach highlights the systemic risk created by deep interconnections across DeFi platforms. A flaw in one protocol can quickly cascade to others that rely on its tokens as collateral or building blocks.
For rsETH, the premise that it can serve as sound collateral across multiple platforms has been severely tested. Its value is now shown to be vulnerable to external security failures in the infrastructure that supports it, such as cross-chain bridges.
Traders and protocol operators are being pushed to reassess:
- the counterparty risk of each protocol in a composable stack
- the assumptions behind liquid restaking tokens used as collateral
- the security standards applied to cross-chain messaging and bridge architectures
As DeFi protocols continue to expand across chains, the Kelp DAO incident is likely to become a reference case in debates over whether rapid growth is outrunning core security practices in cross-chain infrastructure.
Concerned about hacks like Kelp DAO’s? Learn how Toobit protects your assets with advanced security measures today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
