A cross-chain bridge holding practically a fifth of a restaked ether token’s circulating provide simply acquired drained, and the fallout is shifting by means of DeFi quicker than Kelp DAO can pause contracts.
An attacker drained 116,500 rsETH (restaked ether) from Kelp DAO’s LayerZero-powered bridge at 17:35 UTC on Saturday, value roughly $292 million at present costs and representing about 18% of rsETH’s 630,000 token circulating provide tracked by CoinGecko.
LayerZero is a cross-chain messaging layer, or the infrastructure that lets totally different blockchains ship verified directions to one another. Kelp DAO is a liquid restaking protocol, which takes user-deposited ETH, routes it by means of EigenLayer to earn further yield on high of normal Ethereum staking rewards, and points rsETH as a tradeable receipt.
The bridge that was drained held the rsETH reserve backing wrapped variations of the token deployed on greater than 20 different blockchains.
The attacker tricked LayerZero’s cross-chain messaging layer into believing a sound instruction had arrived from one other community, which triggered Kelp’s bridge to launch 116,500 rsETH to an attacker-controlled handle.
Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after the profitable drain, at 18:21 UTC. Two follow-up makes an attempt at 18:26 UTC and 18:28 UTC each reverted, every carrying the identical LayerZero packet trying one other 40,000 rsETH drain value roughly $100 million.
rsETH is deployed throughout greater than 20 networks together with Base, Arbitrum, Linea, Blast, Mantle and Scroll, with LayerZero’s OFT customary dealing with the cross-chain motion.
The rsETH held within the bridge was the reserve backing wrapped variations on each layer 2 blockchain, or networks that run atop Ethereum.
With that reserve drained, holders on non-Ethereum deployments now face the query of whether or not their tokens have something beneath them, which creates a suggestions loop the place panic redemptions on L2s stress the unaffected Ethereum provide, probably forcing Kelp to unwind restaking positions to honor withdrawals.
The contagion record is lengthy and nonetheless rising.
Aave froze rsETH markets on V3 and V4 inside hours, with founder Stani Kulechov affirming the exploit was exterior and Aave’s contracts weren’t compromised. SparkLend and Fluid froze their rsETH markets.
AAVE fell about 10% because the market priced potential unhealthy debt.
Lido Finance paused additional deposits into its earnETH product, which carries rsETH publicity, whereas clarifying that stETH and wstETH are unaffected and the core Lido staking protocol has no involvement within the incident.
Ethena quickly paused its LayerZero OFT bridges from Ethereum mainnet as a precaution, saying it has no rsETH publicity and stays greater than 101% overcollateralized. The stablecoin issuer mentioned the pause would final roughly six hours whereas the foundation trigger is recognized.
Kelp, a product below the KernelDAO umbrella, acknowledged the incident in its first public X publish at 20:10 UTC, practically three hours after the drain. The protocol mentioned it was investigating with LayerZero, Unichain, its auditors and out of doors safety specialists. It has not disclosed how the exploit bypassed the bridge’s validation logic.
Whether or not rsETH holds peg by means of the weekend depends upon how a lot of the cross-chain float tries to redeem into ETH on Ethereum and whether or not Kelp can get better any portion of the stolen funds earlier than the Twister Money path goes chilly.
The hack lands in an unusually hostile stretch for DeFi. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an assault later linked to North Korea-affiliated actors, and no less than a dozen smaller protocols have been exploited within the weeks since, together with CoW Swap, Zerion, Rhea Finance and Silo Finance.
Kelp’s $292 million loss is now the biggest DeFi exploit of 2026, overtaking Drift by a number of million {dollars}.
