A catastrophic cross-chain exploit has just rocked DeFi: an attacker drained 116,500 rsETH — roughly $292 million — from Kelp DAO’s LayerZero-powered bridge, stripping the reserve that backs wrapped rsETH on more than 20 networks.
What happened
- At 17:35 UTC on Saturday, an attacker tricked LayerZero’s cross-chain messaging layer into accepting a spoofed packet. That fake instruction caused Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address — about 18% of rsETH’s circulating supply (CoinGecko tracks ~630,000 rsETH).
- The drained reserve was the collateral used to back wrapped rsETH tokens issued across more than 20 Layer‑2s and other chains, including Base, Arbitrum, Linea, Blast, Mantle and Scroll.
- Kelp’s emergency pauser multisig froze core contracts 46 minutes later at 18:21 UTC. Two nearly immediate follow-up packets (at 18:26 and 18:28 UTC) attempted to extract another ~40,000 rsETH (~$100M) but reverted.
- Kelp — a product within KernelDAO — posted publicly at 20:10 UTC that it was investigating with LayerZero, Unichain, its auditors and outside security specialists. The team has not yet explained how the bridge validation was bypassed.
Why this matters
- rsETH is a liquid restaking receipt: Kelp takes user ETH, routes it through EigenLayer to earn extra yield on top of Ethereum staking, and issues rsETH as a tradable token. The bridge that was drained functioned as the reserve backing cross-chain wrapped versions of rsETH (LayerZero’s OFT-style cross-chain token movement).
- With the reserve gone, holders of wrapped rsETH on non‑Ethereum chains now face uncertainty about whether their tokens are redeemable for underlying ETH. That uncertainty can trigger panic redemptions on L2s, putting pressure on the remaining Ethereum-side supply and potentially forcing Kelp to unwind restaking positions to meet withdrawals.
- The exploit is now the largest DeFi loss of 2026, eclipsing the April 1 Solana Drift hack (~$285M) by a few million dollars.
Ecosystem fallout and responses
- Aave froze rsETH markets on both V3 and V4 within hours. Aave founder Stani Kulechov said the exploit was external and that Aave’s contracts themselves were not compromised. SparkLend and Fluid also froze their rsETH markets.
- AAVE token price slid about 10% as markets priced in potential bad debt exposure.
- Lido paused further deposits into earnETH (a product with rsETH exposure) while clarifying that stETH and wstETH are unaffected and Lido’s core staking protocol is not involved.
- Stablecoin issuer Athena temporarily paused its LayerZero OFT bridges from Ethereum mainnet as a precaution, stating it has no rsETH exposure and remains overcollateralized ( >101%). Athena said the pause would likely last around six hours while the root cause is investigated.
Where this could go next
- Recovery efforts hinge on whether Kelp can trace and retrieve funds before they are laundered (the report references a Tornado Cash trail risk) and whether the cross-chain float tries to redeem en masse for ETH on the mainnet.
- If large redemptions occur, Kelp may have to unwind restaking positions on EigenLayer, which could create further knock-on effects across protocols with rsETH exposure.
Context: a tense period for DeFi
This attack lands amid an unusually hostile stretch for decentralized finance: several protocols have been exploited in recent weeks (including CoW Swap, Zerion, Rhea Finance and Silo Finance), and the Drift hack in April established a high-water mark for losses this year — a mark Kelp’s drain has now surpassed.
The investigation is ongoing. Kelp and LayerZero are working with security teams and auditors; further technical details and any potential fund recoveries have not yet been disclosed. We’ll update as auditors and the teams involved release more information.
Read more AI-generated news on: undefined/news
