A $292 million security breach at KelpDAO triggered a significant pullout across the decentralized finance sector, leading to an estimated $10 billion being withdrawn from various protocols. The incident commenced late Saturday when an attacker siphoned approximately 116,500 rsETH from KelpDAO’s cross-chain bridge, with the tokens valued at around $292 million according to CryptoSlate data.
KelpDAO issues rsETH for ETH deposited into its liquid restaking system, which then utilizes EigenLayer to enhance yield on staked returns. This breach is now recorded as the largest DeFi exploit of 2026, surpassing previous incidents this year.
The exploited rsETH circulated via LayerZero’s cross-chain messaging network, linking Unichain with Ethereum mainnet. Banteg, a Yearn Finance developer, explained that the attacker used a fraudulent message accepted by the system, causing the Ethereum-side adapter to release pre-funded reserves without secondary verification checks.
Post-attack, KelpDAO’s emergency multisignature wallet froze core contracts, thwarting two subsequent attempts which could have siphoned off another $100 million in rsETH. The stolen funds were initially routed through Tornado Cash to obscure their trail.
rsETH’s reserves circulated across several networks including Base, Arbitrum, and others, creating redemption uncertainties once reserves were depleted. This uncertainty rapidly spread throughout the market.
Aave, a leading crypto lending platform, was severely impacted as the stolen rsETH was deposited as collateral. During this period, Aave’s oracles misread rsETH’s peg, allowing the issuance of 106,467 ETH against it and exposing the platform to about $236 million in potential bad debt. This prompted users to withdraw funds swiftly, with Aave’s TVL plummeting from over $26 billion to roughly $20 billion.
Large holders contributed significantly to this withdrawal spree, exemplified by TRON founder Justin Sun withdrawing 65,580 ETH worth approximately $154 million. As withdrawals increased, Aave’s ETH utilization rate hit 100%, freezing all available Ether on the platform for borrowing or withdrawal purposes.
Consequently, AAVE token prices fell over 18%. This was worsened by large AAVE holders selling substantial amounts of tokens. To mitigate further losses, Aave froze rsETH markets on its platforms and clarified their lack of exposure to this asset following the KelpDAO breach.
The repercussions spread across DeFi, with other protocols like Lido, SparkLend, and Compound also halting rsETH lending activities. Ethena paused its LayerZero bridges as a precautionary measure despite having no direct exposure to rsETH.
The incident highlighted how quickly capital can move when collateral integrity is questioned. A single bridge exploit was sufficient to cause widespread market disturbances within hours.
In response, industry experts called for improved security measures in DeFi protocols. Jonathan Man from Bitwise emphasized the need for stronger foundations in financial systems. Keone Hon suggested pooled lending protocols could impose rate limits on asset deposits and collateral usage to mitigate rapid exploitation.
Hon pointed out that limiting available exit paths during exploits can help manage loss magnitudes, citing past incidents where controlled exit routes limited losses. Guy Young supported these views, proposing additional throttles at the mint and redemption stages along with LayerZero’s OFT standard enhancements.
This event underscores the necessity for enhanced security protocols in DeFi to prevent similar future disruptions.