Kelp DAO Just Got Hit With The Largest Crypto Exploit Of 2026 As Hackers Drain Nearly $300 Million

If you needed a reminder that DeFi still has serious security holes, here it is. Kelp DAO, the Ethereum-based liquid restaking protocol, just got absolutely gutted in what is now the single largest crypto exploit of 2026. Hackers drained roughly $292 million worth of rsETH tokens by exploiting a vulnerability in Kelp’s LayerZero-powered cross-chain bridge.

That number is not a typo. Nearly $300 million, gone in a single transaction. And the fallout is still rippling through the entire Ethereum DeFi ecosystem tonight.

The attack hit at approximately 5:35 PM UTC on Saturday, April 18. The attacker manipulated LayerZero’s cross-chain messaging verification system, essentially tricking it into believing a legitimate transfer request had arrived from another blockchain. That spoofed instruction triggered Kelp’s bridge to release 116,500 rsETH tokens to an attacker-controlled wallet. That amount represents roughly 18% of rsETH’s entire circulating supply of around 630,000 tokens.

Kelp DAO confirmed the breach and announced emergency measures within the hour:

Kelp’s emergency pauser multisig froze the protocol’s core contracts about 46 minutes after the initial drain, at 18:21 UTC. Two follow-up attempts by the attacker at 18:26 and 18:28 UTC both failed, each trying to siphon another 40,000 rsETH worth roughly $100 million. Those packets reverted, but the original $292 million was already out the door.

What makes this exploit especially ugly is what the attacker did next. According to Crypto Briefing, the stolen rsETH was deposited into multiple lending protocols including Aave V3, Compound V3, and Euler. The attacker then borrowed approximately $236 million in wrapped ETH against that collateral, accumulating roughly 74,000 ETH. The problem? That rsETH was no longer backed by any real underlying assets. It was effectively worthless collateral propping up hundreds of millions in borrowed funds.

Attackers deposited rsETH into multiple lending protocols including Aave V3, Compound V3, and Euler, and borrowed approximately $236 million in wrapped ETH against the collateral, accumulating roughly 74,000 ETH and generating over $280 million in bad debt across protocols.

The cascade was immediate. Aave moved fast to freeze all rsETH markets on both V3 and V4:

Aave was not the only protocol scrambling to contain the damage. SparkLend froze its rsETH markets (reporting zero exposure), Fluid locked down its positions, Lido Finance paused earnETH deposits as a precaution, and Ethena temporarily froze its LayerZero bridges. Blockchain investigator ZachXBT was among the first to flag the exploit publicly, identifying six attacker wallet addresses and noting they had been funded through Tornado Cash before the drain even began.

The AAVE token took a hit too, dropping roughly 10-13% in the hours following the news as traders priced in the bad debt exposure.

This exploit now surpasses the Drift hack as the largest DeFi breach of the year. And with the stolen rsETH scattered across more than 20 chains and deep into multiple lending pools, unwinding this mess is going to take a while. The attacker wallets were funded via Tornado Cash, which means tracing the funds back to any individual is going to be an uphill battle.

Kelp says they are working with LayerZero, Unichain, their auditors, and security firms on a root cause analysis. But for the thousands of users who trusted the rsETH bridge with their capital, the damage is done. This is the kind of event that sets the entire restaking sector back and raises hard questions about the security of cross-chain bridges heading into the second half of 2026.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.