Kelp DAO has become the latest victim in the ongoing saga of decentralized finance (DeFi) exploits, with the protocol suffering a staggering $292 million loss following a cross-chain attack that targeted its rsETH assets. This incident, involving the draining of around 116,500 rsETH, has prompted intense scrutiny and raised questions about the security protocols in place at Kelp DAO.
According to blockchain data, the exploit occurred due to vulnerabilities in the cross-chain communication, specifically compromising the bridge mechanism essential for transferring assets between different networks. The attack unfolded via a call to the “Iz Receive” function on LayerZero’s EndpointV2, enabling the perpetrator to redirect funds to a wallet that they controlled.
ZachXBT, a prominent on-chain investigator, was among the first to alert the community to the breach, estimating the total amount lost to exceed $280 million across various blockchains including Ethereum and Arbitrum. Notably, the addresses used in the attack were traced back to funding from Tornado Cash, suggesting that the attacker took measures to obscure their identity and the origins of the funds.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you updated…
— Kelp (@KelpDAO) April 18, 2026
In a bid to mitigate further damage, Kelp DAO acted promptly by halting all rsETH contracts across its mainnet and several layer-2 networks. They also froze core contract functions involving deposits, withdrawals, and oracles. The organization announced that they were conducting an in-depth investigation in collaboration with LayerZero and Unichain to address the causes and repercussions of this exploit.
Interestingly, the attacker made two subsequent attempts to drain an additional 40,000 rsETH, amounting to nearly $100 million. However, Kelp DAO’s rapid response was crucial in thwarting these further attempts, preventing potential losses from exceeding $391 million.
Aave Takes Precautionary Measures
The ramifications of the exploit quickly extended beyond Kelp DAO itself. Aave, one of the industry’s leading DeFi lending platforms, responded by temporarily suspending all rsETH markets across both its V3 and V4 deployments. In a statement, Aave clarified that while its own smart contracts remained secure, this precautionary measure aimed to mitigate further exposure to potential risks associated with rsETH.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave’s contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
— Aave (@aave) April 18, 2026
The rsETH token, designed to symbolize staked ETH while offering users the opportunity to earn additional yield through restaking strategies, plays a critical role in cross-chain DeFi operations. The size of this exploit is particularly damaging, accounting for roughly 18% of rsETH’s total circulating supply, which significantly affects both its liquidity and the trust of its user base.
