Kelp DAO Hack Drains $293 Million, Attackers Use Stolen rsETH Collateral on Aave V3

A cross-chain bridge exploit at Kelp DAO on April 18 drained about 116,500 rsETH, worth nearly $293 million, and triggered emergency responses across decentralized finance platforms.

Analytics Insight said Kelp DAO detected “suspicious cross-chain activity involving rsETH” after an attacker exploited infrastructure tied to its LayerZero-powered bridge, and that the stolen amount reached about 116,500 rsETH with estimates placing the loss near $293 million.

@coindesk

CoinDesk reported that attackers used drained rsETH as collateral on Aave V3, stating that “attackers used $292 million in stolen rsETH from Kelp’s bridge as collateral on Aave V3.”

The Business Times described the attacker siphoning about 116,500 rsETH by targeting a bridge built using LayerZero, and said the total losses were estimated at roughly US$293 million, “making it the largest DeFi exploit of 2026.”

Multiple outlets tied the incident to Kelp DAO’s rsETH token, which the Business Times said is issued by Kelp DAO and represents “restaked” Ether, while Mint (Bloomberg) described rsETH as a token that represents “restaked” Ether as well.

Kelp DAO said in a post on X, “We identified suspicious cross-chain activity involving rsETH,” and Mint (Bloomberg) added that “We have paused rsETH contracts across mainnet and several L2s while we investigate.”

The exploit also became a focal point for how quickly risk can spread when the same asset is reused across DeFi, with Analytics Insight saying rsETH circulates across more than 20 blockchain networks and that the breach spreads risk beyond one protocol within hours.

The Kelp DAO exploit did not remain confined to a single protocol because rsETH was integrated into lending, trading, and liquidity systems across multiple networks.

Analytics Insight said rsETH circulates across more than 20 blockchain networks, and that “Because rsETH circulates across more than 20 blockchain networks, the breach spreads risk beyond one protocol within hours.”

@coindesk

CoinDesk explained the mechanics in more detail, saying attackers “dumped the stolen tokens on Aave V3 as collateral and borrowed wrapped ether against them,” and that the exploit “did not compromise Aave’s own contracts.”

CoinDesk also reported that Aave’s total value locked plunged by about $6.6 billion and that the AAVE token fell 16% after the exploit, while it described the Aave-specific bad debt as “roughly $196 million in Aave-specific bad debt concentrated in the dominant rsETH–wrapped ether pair on Ethereum.”

The Business Times described the broader DeFi stacking effect, saying “DeFi protocols are often stacked on top of each other” and that assets like rsETH are reused “as collateral for loans or as liquidity in trading pools.”

Mint (Bloomberg) similarly framed the incident as a ripple effect, stating that the hack “setting off a ripple effect across multiple crypto platforms,” and it quoted Cyvers saying, “This was not just a protocol exploit, it immediately became a cross-protocol contagion event.”

In response to the contagion risk, Aave froze rsETH-related activity, with Analytics Insight saying “Aave froze rsETH-related markets after the exploit to stop new deposits and new borrowing against rsETH collateral.”

As the exploit triggered market freezes, multiple named figures and organizations described both the immediate cause and the systemic implications.

CoinDesk quoted Aave’s founder Stani Kulechov, saying “the exploit was external and the protocol's contracts were not compromised,” while CoinDesk also described how Aave accepted a liquid restaking token as collateral and then faced a backing collapse when the bridge was exploited.

Analytics Insight quoted Cyvers describing the event as “not just a protocol exploit” and said it became “a cross-protocol contagion event,” while the firm added that “at least nine other platforms faced direct or indirect exposure because rsETH had already been integrated into lending, trading, and liquidity systems.”

The Business Times quoted Cyvers chief executive Deddy Lavid saying, “This is exactly the kind of incident that highlights the risks” of interconnected systems in DeFi, and it also quoted Lavid on the speed of cascading failures: “The challenge is no longer just preventing exploits at the contract level, but understanding how fast they can cascade across integrated protocols.”

Cointelegraph via Bitget included a warning from Michael Egorov, founder of Curve Finance, who said in an email, “Cross-chain is hard and potentially risky. Only use cross-chain infrastructure when absolutely necessary, and do it really carefully,” and he also advised DeFi teams to vet tokens for “single points of failure or attack surfaces.”

In the same Cointelegraph report, Cyvers told Cointelegraph, “This was not just a protocol exploit. It immediately became a cross-protocol contagion event,” and it said “At least nine DeFi protocols and platforms, including Aave, Fluid, Compound Finance, SparkLend and Euler, were affected.”

Analytics Insight also included a specific time-based warning from Cyvers Chief Technology Officer Meir Dolev, saying the protocol was “just three minutes away from losing an additional US$100 million” before blacklist measures blocked another attempt.

While most accounts agreed that the exploit involved Kelp DAO’s LayerZero-powered bridge and the release of 116,500 rsETH, the crypto community debate in CoinDesk’s reporting focused on whether the root problem was a LayerZero bug or a configuration and design flaw.

CoinDesk’s “DeFi is dead” piece quoted developers and traders arguing that the incident exposed structural risks in how cross-chain verification is implemented, and it included a technical pushback: “The KelpDAO exploit (~$290M, is NOT a LayerZero protocol bug. It's a configuration issue and a case study every project with a cross-chain token needs to look at today,” from a technical breakdown by cryptogoblin.

Analytics Insight

That same CoinDesk article described a verification-layer framing, quoting a post that said, “One signature and 116,500 rsETH materialized out of thin air on Ethereum,” and it added, “the [smart] contracts weren't broken. The verification layer was,” according to the post.

Another critique in CoinDesk’s reporting, attributed to Fishy Catfish on X, argued that the problem was broader design risk, saying, “there is no security floor… A configuration can be a 1/1 DVN and the DVN you chose can be a single node ran by a single entity.”

CoinDesk’s article also explained what a DVN is in LayerZero V2, describing it as a “Decentralized Verifier Network” responsible for validating and attesting to the authenticity of messages sent across different blockchain networks.

Bitget’s Cointelegraph report, by contrast, emphasized non-isolated lending and integration risk, quoting Michael Egorov that “Non-isolated lending on DeFi platforms, including earlier versions of the Aave lending protocol, exposes users to risks from all the various tokens used as collateral on the platforms.”

Bitget also repeated Egorov’s warning that “Cross-chain bridging architecture” was the root cause of the weekend’s exploit, describing it as “the root cause of this weekend’s Kelp exploit.”

The stakes for DeFi were immediate and measurable in the sources, with Aave’s locked value dropping and its token falling after the Kelp exploit.

CoinDesk reported that “Aave’s total value locked plunged by about $6.6 billion” and that “The AAVE token fell 16%,” while it said daily fees spiked to $1.99 million as liquidations ripped through the weekend.

Bitcoin News

CoinDesk also stated that Aave’s Umbrella reserve “may not fully cover the deficit,” raising the prospect that “stkAAVE holders could absorb losses,” and it described “systemic risks from liquid restaking tokens across DeFi.”

Analytics Insight said Aave froze rsETH-related markets to contain further damage while teams reviewed exposure, and it added that “Existing positions remained open, but concern grew over possible bad debt tied to rsETH-backed borrowing.”

The Business Times reported that Aave froze markets related to rsETH and that its token was down 20 per cent during Asian trading hours on Sunday, “according to Coingecko,” while Mint (Bloomberg) said Aave’s token was down 20% during Asian trading hours on Sunday as well.

Beyond Aave, Analytics Insight said SparkLend, Fluid, and Upshift froze rsETH markets while Kelp DAO activated an emergency pause, and MEXC’s reposted report said at least nine major platforms were forced to freeze markets or scramble damage control measures.

Looking forward, Analytics Insight said Kelp DAO “now faces an investigation into how the exploit occurred and how affected users may be addressed,” and it said Aave and other platforms continue to review exposure linked to rsETH positions.