Kelp DAO Hit by $292M rsETH Bridge Exploit — Largest DeFi Hack of 2026 Sends Shockwaves Through Aave and LayerZero

The weekend's biggest crypto story did not come from Bitcoin's flirtation with $78,000 or from Saylor's latest billion-dollar buy. It came from a cross-chain bridge contract that was quietly holding more than a quarter-billion dollars in user collateral.

At roughly 17:35 UTC on Saturday, April 18, an attacker drained 116,500 rsETH — about $292 million and close to 18% of rsETH's circulating supply — from Kelp DAO's LayerZero-powered bridge. By the time the protocol paused its core contracts, the exploit had already overtaken the Drift incident earlier this year to become the largest DeFi exploit of 2026.

On-chain sleuth ZachXBT flagged the anomaly almost in real time, sending a wave of freezes through the Ethereum lending stack and knocking the AAVE token down roughly 10% before U.S. markets opened Monday morning.

What happened: a forged cross-chain message

The attacker did not break LayerZero's smart contracts in the strict sense. Instead, they tricked LayerZero's cross-chain messaging layer into believing a valid instruction had arrived from another network. That forged message told Kelp's bridge contract on Ethereum to release 116,500 rsETH to an attacker-controlled address.

Three details stand out in the post-mortem discussion:

• The bridge held the reserve collateral backing rsETH on more than 20 networks, which is why the loss immediately raised doubts about the peg on layer 2s and alt-L1s.
• The attacker funded the initial gas through Tornado Cash's 1-ETH pool, a well-known obfuscation pattern.
• The drained funds were fragmented across multiple wrapped-ether positions, leaving value stranded on chains where rsETH is now under-collateralized.

Kelp said in a short post-mortem on X that it is working with LayerZero, Unichain, its auditors and outside security specialists to trace the funds and assess recoverable value.

Contagion: Aave, SparkLend, Fluid and Upshift pull the handbrake

Because rsETH is widely accepted as collateral, the exploit's second-order effects were worse than the headline loss suggested. Within hours:

• Aave froze rsETH markets on both V3 and V4. One analyst's internal tally put potential bad debt at around $290 million if the peg breaks before positions can be unwound.
• SparkLend and Fluid paused borrow and withdraw functions on rsETH pools.
• Upshift, which routed yield strategies through rsETH vaults, halted new deposits.

Markets reacted. AAVE fell roughly 10% intraday, while rsETH briefly traded at a visible discount to ether on decentralized exchanges as arbitrageurs priced in recovery risk. The broader crypto market absorbed the shock better than many expected — Bitcoin was already trading above $77,000 on Strait of Hormuz optimism — but DeFi TVL on LayerZero-dependent chains fell sharply.

Why this one matters more than the headline number

Bridge exploits are unfortunately routine. Since January 2025 alone, bridge-related incidents have cost the industry more than $140 million in direct losses, and cross-chain bridges have now accounted for close to 40% of all value ever stolen in Web3 — over $2.8 billion cumulatively.

The Kelp DAO hit matters for four specific reasons.

1. It targeted a restaking primitive. rsETH is not just a wrapped asset — it is collateral for yield strategies across the Ethereum ecosystem, which is why the blast radius reached Aave within hours.
2. It exposed LayerZero's messaging assumptions. The attack did not require breaking LayerZero's code; it required forging trust in an off-chain oracle/relayer configuration. That is precisely the threat model bridge security researchers have warned about for years.
3. It stranded collateral on more than 20 chains. Unlike a single-chain hack, the rsETH supply on L2s and alt-L1s is now under-collateralized until Kelp can rebalance or socialize losses.
4. It landed on a weekend. Liquidity is thinner, arbitrageurs are slower, and recovery coordination across 20 networks is harder when core contributors are offline.

What happens next

Three scenarios are plausible over the next week:

• Partial recovery. If on-chain forensics catch the attacker before funds exit Tornado Cash or CEX off-ramps — as happened in several 2025 cases — Kelp could recover 20–40% and offer users a pro-rata haircut. rsETH peg likely holds.
• Insurance-fund absorption. Kelp activates its treasury and any insurance layer; lenders take a small write-down but markets reopen within days.
• Peg break. If redemptions accelerate faster than Kelp can rebalance, rsETH loses its peg on at least some chains, and Aave realizes bad debt that cascades into the AAVE token and lending rates.

For cross-chain bridge security more broadly, expect renewed pressure on LayerZero to tighten its oracle/relayer configuration defaults, and a fresh round of audits for every bridge carrying restaking collateral.

We have compiled a cross-chain bridge security guide walking through what went wrong at Kelp and how to move assets safely between chains in the current environment.

FAQ

What is rsETH and why was so much of it on a bridge? rsETH is Kelp DAO's liquid restaking token — a receipt for ether deposited into EigenLayer. Users like to use rsETH on layer 2s and alt-L1s to earn yield while keeping exposure to ether. Kelp's bridge held the canonical Ethereum-side reserve that backed rsETH on every other chain, which is why it became such a large single point of failure.

Was LayerZero hacked? LayerZero's core contracts appear intact based on early reports. The attack exploited trust assumptions in LayerZero's messaging configuration — specifically, forging a cross-chain message that the Kelp bridge then honored. LayerZero and Kelp are jointly investigating.

Is my money safe on Aave? Aave's core protocol was not exploited. The rsETH market freeze is a precaution to prevent users from borrowing against potentially under-collateralized rsETH. Positions in ETH, USDC, WBTC and other unrelated markets function normally, though volatility is elevated.

Can users get their rsETH back? It depends on recovery. If Kelp and law-enforcement partners recover a material share of the 116,500 rsETH before it exits Tornado Cash, users may see partial redemption. If not, expect either a treasury bailout, a socialized loss, or a peg break.

Does this affect Bitcoin directly? Not mechanically. Bitcoin is not collateral in the rsETH system. But sentiment-wise, a nine-figure DeFi hack during a fragile geopolitical week tends to push risk-off flows toward BTC — which is partly why Bitcoin held above $75,000 through the weekend despite the exploit.

Sources

• CoinDesk — 2026's biggest crypto exploit: $292 million gets drained from Kelp DAO
• CryptoBriefing — Kelp DAO hit by $292M bridge hack draining rsETH reserves
• CoinGape — AAVE Price Crashes 10% as Aave-Backed KelpDAO Faces $292M Crypto Hack
• Bitcoin.com News — ZachXBT Flags $280M+ KelpDAO Exploit

Disclaimer: This article is for informational and educational purposes only and does not constitute investment, legal or tax advice. Digital assets are highly volatile and can lose value quickly. Do your own research and consult a licensed advisor before making any investment decision.