Kelp DAO Exploit: $292M rsETH Theft in Suspected LayerZero Attack Sparks DeFi Security Crisis
A massive security breach has crippled Kelp DAO, draining approximately $292 million worth of its rsETH token. The exploit, which unfolded in the early hours of Saturday, April 18, 2026, targeted the protocol’s cross-chain bridge in what investigators suspect was an attack on the LayerZero interoperability protocol. The fallout was immediate and severe. Kelp DAO halted all operations. The Aave lending market froze rsETH deposits to prevent bad debt. This event ranks among the largest DeFi hacks of the year, exposing persistent vulnerabilities in the infrastructure connecting different blockchains.
The $292M Kelp DAO rsETH Exploit Timeline
On-chain analytics firm Arkham Intelligence first flagged the anomalous transactions. According to their data, the attacker began draining rsETH from the Kelp DAO bridge on the Ethereum network just after 2:00 AM UTC on April 18. The stolen tokens were quickly swapped for other cryptocurrencies across multiple decentralized exchanges. The attacker’s wallet address shows a series of complex moves designed to obscure the trail.
Also read: Bitcoin Strategy Revealed: DCA Triumphs Over Lump Sum in Major Price Declines
Blockchain security company CertiK confirmed the scale of the loss. “Our analysis points to a potential vulnerability in the message verification logic between chains,” a CertiK analyst stated. This suggests the hacker may have forged a message that falsely claimed rsETH was locked on one chain, allowing them to mint new, illegitimate tokens on another. The protocol’s total value locked (TVL) plummeted from over $300 million to near zero within hours.
LayerZero’s Role in the Cross-Chain Attack
The focus of the investigation is LayerZero, a dominant protocol for enabling communication between blockchains. Many cross-chain bridges, including Kelp DAO’s, rely on LayerZero’s infrastructure to verify and relay messages. If a flaw exists in this verification process, it could compromise every application built on top of it.
Also read: South Africa's Important Crypto Rules Officially Bring XRP Under Capital Flow Framework
LayerZero Labs issued a statement on April 18. “We are aware of the incident and are actively investigating alongside the Kelp DAO team,” the company wrote. They emphasized that their core protocol contracts had not been upgraded or changed recently. However, industry watchers note that the complexity of cross-chain messaging creates a large attack surface. A single bug can have catastrophic consequences.
This is not the first cross-chain bridge disaster. The Ronin Bridge hack in 2022 resulted in a $625 million loss. The Wormhole bridge was drained of $326 million the same year. These repeated failures highlight a systemic problem. Building secure bridges between inherently separate systems remains one of DeFi’s toughest challenges.
Immediate Fallout: Aave Freeze and Protocol Shutdown
The repercussions extended far beyond Kelp DAO. The Aave decentralized lending protocol took emergency action. Because rsETH was listed as collateral, the exploit threatened to create millions in bad debt for Aave lenders. The Aave community’s risk stewards used emergency powers to freeze the rsETH market, disabling new deposits and borrows.
Data from Aave’s interface showed the freeze was enacted by midday on April 18. This swift action likely prevented immediate insolvency within the lending pool. But it also trapped users’ funds. Individuals who had supplied rsETH to Aave cannot currently withdraw their assets. This creates a secondary liquidity crisis for those users.
Kelp DAO’s own response was a full shutdown. The team announced it had paused all minting and redeeming of rsETH. “We are working with security partners and law enforcement to trace the funds and understand the root cause,” the DAO posted on social media. The protocol’s website now displays only a security notice. The implication is clear: trust in the rsETH token is shattered.
Analyzing the Broader DeFi Security Environment
The Kelp DAO exploit underscores a troubling trend. According to a 2025 report from Immunefi, a bug bounty platform, cross-chain bridges accounted for over 40% of all crypto thefts that year, totaling more than $1.3 billion. Bridges are attractive targets because they often hold vast liquidity in a single, complex smart contract.
Common Bridge Attack Vectors:
- Signature Verification Flaws: Forging approvals to mint tokens.
- Oracle Manipulation: Feeding incorrect price or state data.
- Governance Attacks: Taking over protocol decision-making.
- Logic Bugs: Errors in the code governing asset locking and minting.
What this means for investors is increased scrutiny on cross-chain asset risks. “The promise of easy interoperability comes with hidden costs,” noted a researcher from the Blockchain Security Alliance. “Users must assess not just the destination protocol’s security, but also the security of every bridge and middleware used to get assets there.” This layering of risk is often underestimated.
What Happens Next for Kelp DAO and rsETH Holders?
The path forward is fraught. The primary goal is tracking the stolen funds. Blockchain analysis firms like Chainalysis and TRM Labs are often engaged in these efforts. If the attacker uses a centralized exchange to cash out, funds could potentially be frozen. However, sophisticated hackers typically employ mixers and cross-chain hops to launder crypto, making recovery difficult.
For rsETH holders, the situation is bleak. The token’s value is effectively zero on secondary markets. Any recovery plan would likely involve the Kelp DAO treasury or a negotiated bounty with the hacker—a controversial practice known as a “white-hat” negotiation. The DAO may also consider a fork or redemption plan for unaffected assets. But the process will be long and uncertain.
The Aave freeze presents another complication. The Aave governance community must now decide how to handle the frozen rsETH collateral. One option is a gradual unwinding or a token swap to make lenders whole. This decision will set a precedent for how major DeFi protocols handle collapses of integrated assets.
Conclusion
The $292 million Kelp DAO exploit is a stark reminder of the fragility in decentralized finance. The suspected LayerZero attack highlights how a vulnerability in a key piece of cross-chain infrastructure can ripple through the entire ecosystem, forcing shutdowns and market freezes. While the investigation continues, the damage to user funds and confidence is severe. This event will likely accelerate calls for more solid security audits, insurance products, and potentially a regulatory focus on cross-chain bridges. The Kelp DAO rsETH bridge hack is more than a single protocol failure; it is a stress test for the interconnected future of blockchain.
FAQs
Q1: What is rsETH and what does Kelp DAO do?
rsETH is a liquid restaking token (LRT) issued by Kelp DAO. It represented a user’s staked Ethereum (ETH) that was also deposited into other protocols to earn additional rewards. Kelp DAO managed the process of restaking these assets.
Q2: How did the hacker steal $292 million?
While the full technical analysis is ongoing, security firms suspect the attacker exploited a flaw in the cross-chain message verification system, likely related to LayerZero. This may have allowed them to mint fraudulent rsETH tokens without actually depositing the required collateral.
Q3: Why did Aave freeze the rsETH market?
Aave froze the market to protect its lenders. Since the stolen rsETH is now worthless, any loans taken out using it as collateral cannot be repaid. Freezing the market prevents new bad debt from being created and gives Aave time to decide how to handle the insolvent collateral.
Q4: Are other LayerZero-based bridges at risk?
The investigation is focused on the specific implementation within the Kelp DAO bridge. LayerZero states its core contracts are unchanged. However, the incident has prompted security reviews across the ecosystem. Other projects using similar cross-chain designs are urging caution until the root cause is confirmed.
Q5: Can the stolen funds be recovered?
Recovery is challenging but not impossible. It depends on the hacker’s ability to launder the funds. Blockchain analysts can trace the movement of assets. If the hacker attempts to cash out through a regulated exchange, authorities may intervene. Often, protocols negotiate a bounty for the return of most of the funds.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
