Attacker Drains 116,500 rsETH From Kelp DAO’s LayerZero Bridge in $292 Million Exploit

An attacker drained 116,500 rsETH from Kelp DAO’s LayerZero-powered bridge on Saturday, triggering emergency freezes across multiple DeFi protocols.

“2026's biggest crypto exploit: $292 million gets drained from Kelp DAO with wrapped ether stranded across 20 chains An attacker drained 116,500 rsETH, roughly 18% of circulating supply, from Kelp's LayerZero-powered bridge on Saturday, triggering emergency freezes across Aave, SparkLend, Fluid and Upshift”

@coindesk

CoinDesk described the loss as “2026's biggest crypto exploit” and said the stolen 116,500 rsETH was “roughly 18% of circulating supply” and “worth roughly $292 million at current prices.”

@coindesk

The same CoinDesk account said the drain occurred at “17:35 UTC on Saturday,” when the attacker “tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network.”

CoinDesk added that Kelp’s emergency pauser multisig froze the protocol’s core contracts “46 minutes after the successful drain, at 18:21 UTC.”

It also reported two follow-up attempts at “18:26 UTC and 18:28 UTC” that “both reverted,” each carrying the same LayerZero packet attempting “another 40,000 rsETH drain worth roughly $100 million.”

The Block similarly said an attacker “seemingly drained 116,500 rsETH from Kelp DAO’s LayerZero-powered cross-chain bridge on Saturday, worth approximately $292 million,” and described the emergency response as freezing “roughly 46 minutes after the successful drain.”

FinanceFeeds echoed the core timing and mechanics, saying the exploit was executed through a call to LayerZero’s “EndpointV2 contract,” which triggered Kelp’s bridge to release funds to an “attacker-controlled address.”

Multiple reports tied the incident to LayerZero cross-chain messaging and to the way rsETH is represented across networks.

CoinDesk said Kelp DAO is “a liquid restaking protocol” that “issues rsETH as a tradeable receipt,” and it described the drained bridge as holding “the rsETH reserve backing wrapped versions of the token deployed on more than 20 other blockchains.”

Bitcoin News

It said the attacker “tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network,” which “triggered Kelp's bridge to release 116,500 rsETH to an attacker-controlled address.”

FinanceFeeds added that the exploit was carried out “through a call to LayerZero’s EndpointV2 contract,” and it described the attacker wallet as being “funded roughly 10 hours earlier via Tornado Cash.”

Live Bitcoin News similarly said the drain occurred “at 17:35 UTC through a call to the “lzReceive” function on LayerZero’s EndpointV2 contract,” and it said that call “triggered Kelp’s bridge system to release funds directly to an attacker-controlled address.”

The Block described the same bridge target as Kelp’s “LayerZero OFT (Omnichain Fungible Token) bridge,” saying it “enables rsETH to move between networks.”

DL News framed the drained asset as coming from Kelp DAO’s “rsETH adapter,” describing it as “a tool allowing users to deposit liquid staking tokens and get rsETH in return,” and it said the “rsETH adapter” was drained of “$293.7 million in rsETH.”

Kelp responded quickly by pausing its rsETH contracts and freezing core components, while Aave moved to contain exposure in its lending markets.

“2026's biggest crypto exploit: $292 million gets drained from Kelp DAO with wrapped ether stranded across 20 chains An attacker drained 116,500 rsETH, roughly 18% of circulating supply, from Kelp's LayerZero-powered bridge on Saturday, triggering emergency freezes across Aave, SparkLend, Fluid and Upshift”

CoinDesk

CoinDesk said Kelp acknowledged the incident in its first public X post at “20:10 UTC,” nearly three hours after the drain, and it reported that the protocol said it was investigating with “LayerZero, Unichain, its auditors and outside security specialists.”

CoinDesk also said Kelp “has not disclosed how the exploit bypassed the bridge's validation logic,” and it described the emergency response as freezing “core contracts.”

Live Bitcoin News quoted Kelp’s statement: “Earlier today we identified suspicious cross-chain activity involving rsETH,” and it added that Kelp “paused rsETH contracts across mainnet and several L2s while we investigate.”

Live Bitcoin News further said the pause executed a “pauseAll” function across key contracts, including “the LRT Deposit Pool, withdrawal module, oracle, and the rsETH token itself.”

Aave’s response was described as freezing rsETH markets on both V3 and V4, with the protocol stating, “Aave's contracts have not been exploited and this is an exploit related to rsETH.”

DL News added that Stani Kulechov wrote on X that “the asset does not have any borrowing power” and that “Aave v3 and v4 have no exposure to rsETH,” while still freezing markets to help Kelp investigate.

Blockchain investigator ZachXBT helped drive attention to the theft by posting an alert and naming attacker wallets, while market prices moved on fears of bad debt.

Bitcoin News said ZachXBT posted the initial alert to his public Telegram channel “shortly before 3 p.m. ET,” listing “six wallet addresses tied to the theft” and noting that “the attacker wallets were funded through Tornado Cash before the drain began.”

Crypto Briefing

It quoted ZachXBT’s wording: “KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,” and it added that “the attack addresses were funded via Tornado Cash.”

Bitcoin News also said the exploit created bad debt on “Aave V3,” and it reported that “AAVE token dropping roughly 10-13%.”

CoinDesk reported a similar market reaction, saying “AAVE fell about 10% as the market priced potential bad debt,” and it described Aave founder Stani Kulechov affirming the exploit was external and “Aave's contracts were not compromised.”

Crypto Briefing connected the incident to prediction markets, stating that “over $100 million at risk” and that on Polymarket “Ethereum’s odds of reaching $4,000 in April face a potential 15% decrease.”

DL News also reported that Aave’s native AAVE token was “down 10% over the past 24 hours,” and it said other DeFi tokens like “stETH and wstETH also dropped by nearly 4%.”

The Kelp DAO exploit was presented as part of a wider wave of DeFi attacks, and multiple outlets described how the incident could ripple through other protocols and token pegs.

“- Security experts have flagged an apparent nearly $300 million exploit of Kelp DAO”

DL News

CoinDesk said the hack “comes amid a broader surge in DeFi attacks” and noted that “Solana-based perpetuals protocol Drift was drained of about $285 million on April 1,” adding that “at least a dozen smaller protocols have been exploited in the weeks since,” including “CoW Swap, Zerion, Rhea Finance and Silo Finance.”

DL News

CoinDesk also said the loss “has put rsETH's peg and Kelp DAO's ability to meet redemptions under intense pressure,” and it described a “feedback loop where panic redemptions on L2s pressure the unaffected Ethereum supply.”

It further said the “contagion list is long and still growing,” with “Aave froze rsETH markets on V3 and V4 within hours,” and it added that “Lido Finance paused further deposits into its earnETH product.”

CoinDesk reported that Ethena “temporarily paused its LayerZero OFT bridges from Ethereum mainnet as a precaution,” saying it “has no rsETH exposure and remains more than 101% overcollateralized,” and it said the pause would last “roughly six hours.”

Crypto Briefing described stakes in terms of prediction markets and Ethereum price expectations, saying “Ethereum’s odds of reaching $4,000 in April face a potential 15% decrease” and that the April 30 resolution date was “12 days away.”

FinanceFeeds described Kelp’s first public statement as “Earlier today we identified suspicious cross-chain activity involving rsETH,” and it said Kelp paused “deposits, withdrawals, oracle functions, and the rsETH token itself.”