Major Crypto Bridge Hack: Inside the $292 Million Kelp DAO Exploit

The Attack That Shook DeFi’s Foundation

In a devastating blow to decentralized finance, Kelp DAO suffered a catastrophic security breach on Saturday that saw attackers drain approximately $292 million worth of cryptocurrency in a matter of minutes. The exploit targeted a cross-chain bridge holding 116,500 rsETH tokens—a restaked version of Ethereum—representing nearly one-fifth of the token’s entire circulating supply. What makes this attack particularly alarming isn’t just its size, but how it exposed vulnerabilities in the infrastructure that connects different blockchain networks, sending shockwaves through the entire DeFi ecosystem. The breach occurred at 17:35 UTC and caught Kelp DAO’s security team off guard, though they managed to freeze the protocol’s core contracts within 46 minutes of the initial drain. However, the damage was already done, and the ripple effects continue to spread across more than 20 different blockchain networks where rsETH tokens are deployed.

Understanding the Technology Behind the Breach

To grasp the severity of this attack, it’s essential to understand the technology involved. Kelp DAO operates as a liquid restaking protocol—essentially a system that allows users to deposit their Ethereum holdings, route them through EigenLayer to earn additional rewards beyond standard staking returns, and receive rsETH tokens as tradeable receipts representing their stake. This innovative approach has made Kelp DAO popular among investors seeking to maximize returns on their cryptocurrency holdings. The bridge that was compromised used LayerZero, a cross-chain messaging layer that serves as the backbone for communication between different blockchains. Think of LayerZero as a translator and postal service combined—it allows blockchains that speak different languages to send verified instructions to each other safely. The attacker exploited this system by tricking LayerZero’s messaging layer into believing it had received a legitimate instruction from another network, which then triggered Kelp’s bridge to automatically release the massive amount of rsETH to an address controlled by the hackers.

The Immediate Response and Failed Follow-Up Attempts

Kelp DAO’s emergency response team acted relatively quickly once the breach was detected. The protocol’s emergency pauser multisig—a security mechanism requiring multiple authorized parties to approve critical actions—successfully froze the core contracts at 18:21 UTC, roughly 46 minutes after the initial drain. This swift action likely prevented even greater losses, as evidenced by what happened next. At 18:26 UTC and again at 18:28 UTC, the attackers attempted to execute two additional drains, each targeting another 40,000 rsETH worth approximately $100 million. Both attempts failed and reverted, carrying the same LayerZero packet signature as the original attack. These failed attempts suggest the attackers had planned a multi-stage heist but were thwarted by Kelp’s emergency shutdown. However, the initial damage was substantial enough to create a crisis of confidence across the entire liquid restaking sector. Kelp DAO didn’t publicly acknowledge the incident until 20:10 UTC—nearly three hours after the drain—finally posting on social media platform X that they were investigating the breach with LayerZero, Unichain, their auditors, and external security specialists.

The Contagion Spreads Across DeFi Platforms

The aftermath of the Kelp DAO exploit has been nothing short of chaotic, with major DeFi platforms scrambling to protect themselves from potential fallout. The fundamental problem is that rsETH tokens are deployed across more than 20 different blockchain networks, including popular platforms like Base, Arbitrum, Linea, Blast, Mantle, and Scroll. The drained bridge held the reserve backing all these wrapped versions on Layer 2 blockchains—networks that operate on top of Ethereum to provide faster and cheaper transactions. With that reserve suddenly gone, holders of rsETH on these non-Ethereum networks now face a terrifying question: are their tokens actually backed by anything of value? This uncertainty triggered an immediate defensive response across the DeFi landscape. Aave, one of the largest decentralized lending platforms, froze its rsETH markets on both V3 and V4 versions within hours, with founder Stani Kulechov reassuring users that the exploit was external and Aave’s own contracts remained secure. Despite this reassurance, AAVE token prices fell approximately 10% as markets priced in the potential for bad debt. SparkLend and Fluid quickly followed suit, freezing their own rsETH markets. Lido Finance, another major player in the staking ecosystem, paused further deposits into its earnETH product due to rsETH exposure, though they emphasized that their core stETH and wstETH tokens were completely unaffected. Even Ethena, which has no direct rsETH exposure, temporarily paused its LayerZero OFT bridges from Ethereum mainnet for approximately six hours as a precautionary measure, demonstrating how fear can spread even to protocols with no direct connection to the exploit.

The Bigger Picture: A Growing Crisis in DeFi Security

This massive exploit arrives during what many are calling an unusually hostile period for decentralized finance, raising serious questions about the security of blockchain infrastructure. The Kelp DAO hack now stands as the largest DeFi exploit of 2026, narrowly overtaking the approximately $285 million stolen from Solana-based perpetuals protocol Drift on April 1. That earlier attack was later linked to North Korea-affiliated hackers, highlighting how sophisticated and well-resourced threat actors have become in targeting cryptocurrency platforms. Between these two major incidents, at least a dozen smaller protocols have fallen victim to exploits, including notable names like CoW Swap, Zerion, Rhea Finance, and Silo Finance. The frequency and sophistication of these attacks suggest that as DeFi platforms grow more complex—layering cross-chain bridges, liquid staking, restaking, and yield optimization—they’re creating more potential vulnerabilities for attackers to exploit. The fundamental challenge is that while blockchain technology itself may be secure, the bridges and messaging layers connecting different blockchains introduce points of failure that hackers are increasingly skilled at exploiting.

What Happens Next: The Race Against Time

The future of rsETH and Kelp DAO now depends on several critical factors playing out over the coming days and weeks. First, whether rsETH can maintain its peg to Ethereum’s value through the weekend hinges on how many holders on Layer 2 networks panic and try to redeem their tokens for actual ETH on the Ethereum mainnet. This creates a dangerous feedback loop: as more people try to exit their positions, pressure builds on Kelp’s remaining reserves, potentially forcing the protocol to liquidate restaking positions to honor withdrawals, which could further destabilize the token’s value. Second, there’s the question of fund recovery. Kelp DAO and its partners are racing against time to trace the stolen funds before they disappear through cryptocurrency mixing services like Tornado Cash, which make transactions virtually untraceable. The protocol has been notably silent on the technical details of how the exploit bypassed their bridge’s validation logic, leaving the community to speculate about whether this was a fundamental flaw in LayerZero’s design, a mistake in Kelp’s implementation, or some combination of vulnerabilities. For the broader DeFi community, this incident serves as another painful reminder that the pursuit of higher yields through increasingly complex financial engineering comes with substantial risks. While decentralized finance promises to democratize access to sophisticated financial products, events like the Kelp DAO exploit demonstrate that the technology is still maturing and may not be ready for the trillions of dollars in value many enthusiasts envision flowing into the sector. Users must carefully weigh the potential rewards against the very real possibility of losing everything to a clever exploit, and protocols must invest heavily in security audits, bug bounties, and defensive measures—even if those precautions cut into profit margins and slow down innovation.