Kelp DAO experienced a significant exploit on Saturday, with an attacker draining 116,500 rsETH from its LayerZero-powered bridge, amounting to approximately $292 million. This theft represents about 18% of the circulating supply of rsETH, raising urgent alarms across decentralized finance (DeFi) platforms. The fallout has been immediate, with emergency freezes implemented by major protocols such as Aave, SparkLend, and Fluid to contain the damage. The exploit occurred after the attacker manipulated LayerZero's cross-chain messaging system, deceiving it into releasing the funds to an address under their control.

Kelp DAO, a liquid restaking protocol that routes user-deposited ETH to earn additional yield, could not react quickly enough to prevent the drain. The drained rsETH was crucial as it backed wrapped versions of the token on over 20 different blockchains, including Layer 2 networks like Arbitrum and Base. LayerZero serves as a critical cross-chain messaging layer, enabling communication between different blockchain networks. This infrastructure facilitates the transfer of verified instructions, making it essential for the functioning of various DeFi applications.

The exploit demonstrates a serious vulnerability within this system, as the attacker successfully tricked LayerZero into processing a fraudulent request, leading to the unauthorized release of substantial funds. Such incidents raise questions about the robustness of security protocols in the rapidly evolving DeFi landscape. The implications of this incident are profound. With a significant portion of the rsETH supply compromised, there are concerns about the stability of this token across various platforms.

Panic redemptions could create a ripple effect, pressuring the price of rsETH and potentially triggering a broader market sell-off, particularly for DeFi protocols that rely on the liquidity of rsETH. This incident marks the largest DeFi exploit of 2026, surpassing previous attacks and highlighting vulnerabilities within cross-chain protocols and the urgent need for more robust security measures in the DeFi space. The recovery of the stolen funds may be complicated by the transient nature of blockchain transactions, especially if the attacker utilizes privacy tools to obscure their trail. As the DeFi ecosystem grapples with this exploit, it underscores the critical need for enhanced security protocols and better risk management practices.

The Kelp incident is not an isolated case; it follows a series of high-profile attacks that have unsettled the DeFi landscape, including a $285 million exploit linked to North Korean actors earlier this month. The ongoing scrutiny on the security of cross-chain operations will likely increase as stakeholders demand accountability and protection against similar threats in the future. Kelp's emergency pauser multisig froze the protocol's core contracts just 46 minutes after the successful drain, at 18:21 UTC. However, this reaction time may have been too late to prevent further damage.

MORE FROM COINTIMES

Bitcoin Faces Pressure as Strait of Hormuz Reopening Turns Fragile

Bitcoin's recent surge is threatened as Iran re-closes the Strait of Hormuz, raising concerns over oil supply and market stability ahead of a critical ceasefire deadline.

Two follow-up attempts at 18:26 UTC and 18:28 UTC to drain another 40,000 rsETH, worth approximately $100 million, were also made but reverted. This highlights a critical aspect of the exploit: the speed at which the attacker acted and the subsequent delay in Kelp's response. The incident raises questions about the preparedness of DeFi protocols to handle such emergencies and the effectiveness of their governance structures. The repercussions of the exploit extend beyond Kelp DAO.

The rsETH held in the bridge was a reserve backing wrapped versions of the token deployed on over 20 other blockchains. The immediate concern for holders on these non-Ethereum deployments is whether their tokens still hold underlying value, which has created a feedback loop of panic and uncertainty. This situation puts pressure on the unaffected Ethereum supply, potentially forcing Kelp to unwind restaking positions to honor withdrawals. Major protocols reacted swiftly to contain the damage.

Aave froze rsETH markets on V3 and V4 within hours, confirming that the exploit was external and that their contracts were not compromised. This quick response was crucial to prevent further exposure. Similarly, SparkLend and Fluid also froze their rsETH markets, recognizing the potential for contagion. Lido Finance, which carries rsETH exposure, paused further deposits into its earnETH product, while clarifying that stETH and wstETH were unaffected, ensuring users that the core Lido staking protocol had no involvement in the incident.

Ethena, another protocol, temporarily paused its LayerZero OFT bridges from the Ethereum mainnet as a precautionary measure, emphasizing its overcollateralization status in the process. The stablecoin issuer announced that the pause would last roughly six hours while the root cause of the exploit was identified. This reflects the broader concern within the DeFi community regarding the stability and security of cross-chain protocols. Kelp DAO acknowledged the incident in its first public post at 20:10 UTC, nearly three hours after the drain had occurred.

They reported that an investigation was underway in collaboration with LayerZero, Unichain, their auditors, and outside security specialists. However, the lack of transparency regarding how the exploit bypassed the bridge's validation logic has raised eyebrows among users and stakeholders.