A major security breach at KelpDAO has rocked the DeFi ecosystem, with attackers siphoning over $280 million from the protocol’s rsETH cross‑chain bridge in what is now the largest single DeFi exploit of 2026. The attack unfolded on April 19, 2026, when a vulnerability in KelpDAO’s LayerZero‑powered bridge allowed an attacker to mint roughly 116,500 rsETH tokens, or about 18% of the token’s circulating supply, worth roughly a quarter‑billion dollars at current prices.

How the exploit unfolded

KelpDAO is a liquid restaking protocol that lets users deposit ETH, route it through EigenLayer‑style protocols for extra yield, and receive rsETH (restaked ETH) as a tradable receipt. Part of that infrastructure relies on a cross‑chain bridge built on LayerZero, which manages messaging between Ethereum and about 20 other blockchains, including Arbitrum, Base, Linea, and Blast. According to on‑chain analysis and reports from security sleuths, the attacker managed to forge a cross‑chain message that tricked the bridge into believing a valid instruction had arrived from another network. This triggered the release of 116,500 rsETH to an attacker‑controlled address without any corresponding deposit of real collateral. Moments later, the malicious rsETH was deposited into major lending markets such as Aave V3 and V4, where the hacker borrowed large amounts of ETH and other assets against the fake tokens.

Contagion across DeFi

The incident has triggered a cascade of countermeasures across the DeFi stack. Aave froze rsETH markets on Ethereum and Arbitrum within hours, while SparkLend, Fluid, and several other protocols either paused or hardened their rsETH‑related positions to limit exposure to potential bad debt. A token for Aave slipped by roughly 10–13% as markets priced in the risk of losses. At least nine protocols have already suspended or restricted operations involving rsETH, and total value withdrawn from DeFi platforms in the wake of the incident is estimated at over $5.4 billion as users scramble to pull funds amid heightened security fears. Platforms such as Lido Finance and Ethena have also taken precautionary steps, with Lido pausing new deposits into certain products that carry rsETH exposure and Ethena temporarily halting its LayerZero‑based OFT bridges as a risk‑mitigation move.

KelpDAO’s response

KelpDAO acknowledged the breach in a statement on X (Twitter), saying it had detected “suspicious cross‑chain activity involving rsETH” and had paused rsETH contracts while it collaborates with LayerZero, auditors, and external security experts to investigate the root cause. The protocol has not yet disclosed a detailed post‑mortem, but early analyses suggest the flaw lies in the messaging and verification layer of the bridge, rather than in the core restaking validator set or Ethereum consensus itself. The hack underscores the risks of cross‑chain interoperability and the concentration of risk in a handful of widely‑used messaging infrastructures such as LayerZero. It also highlights how a single vulnerability in a restaking protocol can ripple through lending markets, stablecoins, and multi‑chain liquidity layers, turning a mid‑sized protocol exploit into a system‑wide stress test.

What it means for the market

For users, the incident is a stark reminder to evaluate bridge‑ and restaking‑related risks before locking capital into yield‑focused products. The KelpDAO exploit alone exceeds 60% of the total losses recorded in the first quarter of 2026, underscoring how a single event can dramatically reshape the year’s security narrative. As investigations continue and affected protocols work through recovery plans, the broader DeFi community is likely to see tighter collateral requirements, more conservative oracle integrations, and renewed scrutiny of cross‑chain designs.