A significant breach in a cross-chain bridge holding nearly one-fifth of the circulating supply of a restaked ether token has led to a swift impact across DeFi ecosystems, outpacing Kelp DAO’s ability to halt contracts. On Saturday at 17:35 UTC, an attacker siphoned off 116,500 rsETH (restaked ether) from LayerZero-powered bridges managed by Kelp DAO, equating to approximately $292 million and about 18% of the total 630,000 token supply monitored by CoinGecko.
LayerZero serves as a cross-chain messaging infrastructure enabling blockchains to send authenticated instructions across networks. Kelp DAO operates as a liquid restaking protocol that utilizes user-deposited ETH, channels it through EigenLayer for additional yield on top of Ethereum’s standard staking rewards, and issues rsETH as a tradable receipt.
The compromised bridge contained the rsETH reserves backing versions of the token deployed across over 20 blockchains. The attacker deceived LayerZero into accepting a falsified instruction from another network, which prompted Kelp’s bridge to release the rsETH to an adversary-controlled address.
Kelp’s emergency multisig pauser immobilized core contracts within 46 minutes post-drain at 18:21 UTC. Subsequent attempts at 18:26 and 18:28 UTC failed to execute a further $100 million drain attempt of 40,000 rsETH using the same LayerZero packet.
rsETH is distributed over more than 20 networks such as Base, Arbitrum, Linea, Blast, Mantle, and Scroll, with cross-chain transitions facilitated by LayerZero’s OFT standard.
The drained reserve leaves holders on other blockchains questioning their token’s backing, potentially inciting panic redemptions that stress the unaffected Ethereum reserves, which could force Kelp to dissolve restaking positions to fulfill withdrawals.
A long and expanding list of impacted platforms includes Aave, which suspended its rsETH markets in V3 and V4 within hours. Stani Kulechov, Aave’s founder, confirmed the external nature of the attack and the integrity of their contracts. Similarly, SparkLend and Fluid paused their rsETH markets. The fallout saw AAVE devalue by about 10%, reflecting concerns over potential bad debt.
Lido Finance halted new deposits into its earnETH product due to rsETH exposure but assured that stETH and wstETH were unaffected and uninvolved in the incident. Ethena temporarily shut down its LayerZero OFT bridges from Ethereum mainnet as a precaution, emphasizing their lack of rsETH exposure and maintaining over 101% collateralization. The six-hour pause aims to investigate the root cause.
Nearly three hours post-drain, at 20:10 UTC, Kelp DAO, under KernelDAO, disclosed the exploit on X, indicating investigations with LayerZero, Unichain, auditors, and external security experts are underway. Details about how the bridge’s validation logic was circumvented remain undisclosed.
The sustainability of rsETH’s peg hinges on redemption attempts from cross-chain reserves into ETH on Ethereum and Kelp’s ability to retrieve any stolen funds before Tornado Cash transactions become irretrievable.
This incident occurs amidst a particularly aggressive period for DeFi, following the Solana-based Drift’s loss of about $285 million on April 1 to North Korea-linked actors. Other smaller protocols like CoW Swap, Zerion, Rhea Finance, and Silo Finance have also been compromised recently.
Kelp’s $292 million breach now stands as the most significant DeFi exploit of 2026, surpassing Drift by several million dollars.