Kelp Protocol Loses $293M in Cross-Chain Bridge Exploit

Kelp Suffers $293M Exploit Through rsETH Cross-Chain Bridge

On April 17, liquid restaking protocol Kelp was hit by a major exploit that drained approximately $293 million from its rsETH cross-chain bridge built on LayerZero infrastructure. The attack ranks among the largest DeFi security breaches of 2026.

Blockchain security firm Cyvers flagged the incident in real time:

«🚨 $293M EXPLOIT DETECTED: Cyvers AI systems have identified a massive attack on @KelpDAO. Our platform flagged the breach in real-time, tracking ~$293.7M drained from the protocol's RSETH Adapter. Currently, ~$250M has already been swapped to $ETH and is held across two…» — 🚨 Cyvers Alerts 🚨 (@CyversAlerts), original post

Why This Matters

The Kelp exploit deals another blow to the liquid restaking sector and cross-chain infrastructure broadly. The stolen 116,500 rsETH represent roughly 18% of the token's total circulating supply, posing systemic risk to the entire rsETH ecosystem. The incident also dragged down Aave's token price by nearly 20% due to fears around potential bad debt on the lending platform.

How the Attack Unfolded

According to CyversAlerts, the attacker exploited a vulnerability in the rsETH cross-chain bridge powered by LayerZero. At 17:35 UTC, the hacker called the lzReceive function on the EndpointV2 contract, initiating a transfer of 116,500 rsETH to a personal wallet. The attacking address had been funded through crypto mixer Tornado Cash.

Cyvers reported that approximately $250 million of the stolen funds had already been swapped to ETH.

Kelp and Aave Respond

The Kelp team detected suspicious activity and responded approximately 46 minutes after the exploit began. An emergency pause mechanism in the rsETH token configuration contract was triggered, causing a cascading halt across other protocol components.

«Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.» — Kelp (@KelpDAO), original post

The project confirmed that rsETH contracts were paused on mainnet and multiple L2 networks. The investigation is being conducted jointly with LayerZero, Unichain, auditors, and cybersecurity specialists.

DeFi lending giant Aave also moved quickly to freeze rsETH markets on its V3 and V4 platforms. The AAVE token dropped nearly 20% within 24 hours amid reports of potential bad debt exposure.

Follow-Up Withdrawal Attempts Blocked

After the emergency pause was activated, the attacker made two additional attempts to drain funds — each time trying to transfer 40,000 rsETH (approximately $100 million). Both transactions were successfully blocked.

This marks the second security incident for Kelp. In April 2025, the protocol suspended deposits and withdrawals after a fee agreement bug led to excessive minting of rsETH.

According to CoinGecko, rsETH's price was not significantly impacted despite the stolen tokens representing about 18% of total circulating supply.

The Kelp breach comes less than three weeks after DeFi platform Drift Protocol on Solana was hacked on April 1, with attackers draining at least $280 million.