The most significant cryptocurrency breach of 2026: Kelp DAO loses $292 million in wrapped ether scattered across 20 blockchains
A malicious actor siphoned 116,500 rsETH, approximately 18% of the circulating supply, from Kelp’s LayerZero-enabled bridge on Saturday, prompting emergency freezes on Aave, SparkLend, Fluid, and Upshift.
Key details:
— A hacker leveraged a vulnerability in Kelp DAO’s LayerZero bridge to extract 116,500 rsETH—valued at roughly $292 million and representing about 18 percent of the token’s circulating supply—forcing an immediate halt of core contracts.
— Since the bridge maintained reserves supporting rsETH on over 20 networks, the incident has cast doubt on the collateralization of rsETH on layer 2s and triggered market freezes across protocols like Aave, SparkLend, and Fluid.
— This breach, now the largest DeFi hack of 2026, occurs during a broader surge in DeFi attacks, placing severe strain on rsETH’s peg and Kelp DAO’s capacity to fulfill redemptions.
A cross-chain bridge holding nearly a fifth of a restaked ether token’s circulating supply was just drained, and the fallout is spreading through DeFi faster than Kelp DAO can pause contracts.
A malicious actor extracted 116,500 rsETH (restaked ether) from Kelp DAO’s LayerZero-powered bridge at 17:35 UTC on Saturday, worth approximately $292 million at current prices and representing about 18% of rsETH’s 630,000 token circulating supply tracked by CoinGecko.
LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquid restaking protocol, which takes user-deposited ETH, routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradeable receipt.
The bridge that was drained held the rsETH reserve backing wrapped versions of the token deployed on more than 20 other blockchains.
The attacker tricked LayerZero’s cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.
Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million.
rsETH is deployed across more than 20 networks including Base, Arbitrum, Linea, Blast, Mantle and Scroll, with LayerZero’s OFT standard handling the cross-chain movement.
The rsETH held in the bridge was the reserve backing wrapped versions on every layer 2 blockchain, or networks that run atop Ethereum.
With that reserve drained, holders on non-Ethereum deployments now face the question of whether their tokens have anything underneath them, which creates a feedback loop where panic redemptions on L2s pressure the unaffected Ethereum supply, potentially forcing Kelp to unwind restaking positions to honor withdrawals.
The contagion list is long and still growing.
Aave froze rsETH markets on V3 and V4 within hours, with founder Stani Kulechov affirming the exploit was external and Aave’s contracts were not compromised. SparkLend and Fluid froze their rsETH markets.
AAVE fell about 10% as the market priced potential bad debt.
Kelp, a product under the KernelDAO umbrella, acknowledged the incident in its first public X post at 20:10 UTC, nearly three hours after the drain. The protocol said it was investigating with LayerZero, Unichain, its auditors and outside security specialists. It has not disclosed how the exploit bypassed the bridge’s validation logic.
Whether rsETH holds peg through the weekend depends on how much of the cross-chain float tries to redeem into ETH on Ethereum and whether Kelp can recover any portion of the stolen funds before the Tornado Cash trail goes cold.
The hack lands in an unusually hostile stretch for DeFi. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.
Kelp’s $292 million loss is now the largest DeFi exploit of 2026, overtaking Drift by a few million dollars.