Overview
The DeFi ecosystem faced its largest hack of 2026 when an attacker drained $292 million from Kelp DAO’s cross-chain bridge. The exploit targeted 116,500 rsETH, representing roughly 18% of the restaked ether token's circulating supply. The incident, which occurred on a LayerZero-powered bridge, immediately triggered emergency freezes across major lending protocols, including Aave, SparkLend, and Fluid.
The loss exposed a critical vulnerability in the architecture of liquid restaking protocols: the reliance on centralized reserves backing wrapped assets across numerous blockchains. Because the compromised bridge held the core reserves for rsETH deployed on over 20 separate networks, the drain instantly put the peg of the token and the stability of the underlying collateral into question.
The fallout has rapidly spread, moving through the Layer 2 landscape faster than Kelp DAO could implement emergency pauses. The hack serves as a stark reminder of the deep systemic interdependencies built into modern cross-chain finance, where a single point of failure can cascade across multiple ecosystems.
The Mechanics of the Cross-Chain Theft
The Mechanics of the Cross-Chain Theft
The attack exploited a fundamental weakness in how the cross-chain messaging layer operated. Kelp DAO is a liquid restaking protocol that generates rsETH by routing user-deposited ETH through EigenLayer for enhanced yield. The bridge itself was designed to hold the reserves necessary to back wrapped versions of rsETH deployed on external Layer 2 chains.
The attacker successfully tricked LayerZero’s messaging layer into accepting a fraudulent instruction. This deception convinced the bridge that a legitimate cross-chain transaction had occurred, prompting the system to release 116,500 rsETH to an address controlled by the perpetrator. The value of the drained assets was estimated at $292 million at the time of the breach.
The speed of the exploit was critical. Kelp DAO’s emergency multisig contract was unable to fully contain the damage, only freezing the core contracts 46 minutes after the initial successful drain. Subsequent attempts by the attacker to drain additional funds failed, reverting due to the protocol’s protective measures, but the initial loss was already substantial.
Systemic Contagion and Protocol Freezes
The immediate consequence of the exploit was a wave of systemic panic, forcing multiple major DeFi protocols to halt trading on rsETH markets. The loss immediately cast doubt on the collateral backing the token on non-Ethereum deployments.
Aave, a foundational lending platform, froze its rsETH markets on both V3 and V4, though its founder affirmed that the exploit was external and that Aave’s core contracts remained secure. Similar actions were taken by SparkLend and Fluid, who paused their respective rsETH markets.
The contagion list grew quickly. Lido Finance, while clarifying that its core stETH and wstETH products were unaffected, paused further deposits into its earnETH product due to the exposure to rsETH. Even Ethena, a stablecoin issuer, temporarily paused its LayerZero OFT bridges from the Ethereum mainnet as a precautionary measure, despite stating its own collateralization ratios remained robust.
The Fragility of Cross-Chain Reserves
The incident underscores the inherent fragility of cross-chain bridge architecture when dealing with liquid collateral. The core issue is the separation of the reserve asset from the utilized asset. While rsETH is designed to be liquid and portable across dozens of chains—including Base, Arbitrum, Linea, Blast, and Mantle—the bridge mechanism holding the reserves proved to be a single, massive point of failure.
The market reaction demonstrated a classic feedback loop of panic. The draining of the reserve assets on the main bridge forced holders on Layer 2s to question the validity of their wrapped tokens. This uncertainty triggered panic redemptions on the L2s, which in turn exerted downward pressure on the unaffected Ethereum supply, potentially forcing Kelp DAO to unwind restaking positions simply to honor withdrawals.
The complexity of liquid restaking—combining ETH staking, EigenLayer yield, and cross-chain liquidity—has created a highly sophisticated, yet brittle, financial structure. The exploit did not just steal tokens; it attacked the confidence in the underlying collateralization model itself.
