- A single spoofed transaction drained 116,500 rsETH (~$292 million) from Kelp DAO’s LayerZero bridge in under an hour.
- The attacker borrowed another $236 million via Aave, Compound, and Euler before anyone could stop them.
- 20+ blockchains are now holding wrapped rsETH tokens that may no longer be fully backed.
Someone walked into Kelp DAO’s cross-chain bridge on April 18 and walked out with $292 million. No zero-day exploit. No sophisticated smart contract vulnerability. Just a spoofed function call on LayerZero’s EndpointV2 contract—the bridge’s single verification checkpoint—and 116,500 rsETH tokens were released to an attacker-controlled wallet at 17:35 UTC. The entire attack took one transaction.
rsETH is Kelp DAO’s liquid restaking token. Users deposit ETH, Kelp routes it through EigenLayer for extra yield, and rsETH acts as the tradeable receipt. The bridge moves rsETH across 20+ blockchains using LayerZero’s OFT (Omnichain Fungible Token) standard. The problem: OFT bridges trust a single messaging layer. If that layer is compromised, the bridge releases funds. No secondary verification. No multi-sig on transfers. One call, one drain.
Kelp’s emergency multisig executed pauseAll at 18:21 UTC—46 minutes after the attack began. Two follow-up drain attempts at 18:26 and 18:28 UTC were blocked. But the damage was already compounding. The attacker had moved stolen rsETH into Aave V3, Compound V3, and Euler, borrowing approximately 74,000 ETH against the collateral. That’s $236 million in bad debt across three lending protocols, all built before Kelp’s pause kicked in.
How a Bridge’s Single Point of Failure Became a $292M Problem
The exploit vector is almost embarrassingly simple. The attacker called lzReceive on LayerZero’s EndpointV2 contract, spoofing what looked like a legitimate cross-chain message. Kelp’s bridge contract accepted it as valid and released the tokens. Blockchain analyst ZachXBT noted on Telegram: “KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum.” The figure later revised upward to $292 million.
The ripple effects were immediate. Aave froze rsETH markets on both V3 and V4. According to CryptoBriefing, Aave’s token dropped roughly 10% as markets priced in the bad debt exposure. SparkLend and Fluid froze rsETH collateral too. Lido paused earnETH deposits. Ethena issued a statement saying it was “temporarily pausing our LayerZero OFT bridges from Ethereum mainnet until the root cause of the rsETH incident has been identified.” L2 holders on Base, Arbitrum, Linea, Blast, Mantle, and Scroll now face tokens that may not be fully backed.
The attacker wallet received ETH through Tornado Cash roughly 10 hours before the exploit—deliberate obfuscation that makes attribution difficult. No group has claimed responsibility. The $292 million drain surpasses the Drift Protocol’s $285 million hack from April 1, which was linked to North Korea-affiliated actors, as the largest DeFi exploit of 2026. Per blockchain security firm Cyvers, total crypto losses in Q1 2026 already hit $482 million.
Cross-Chain Bridges Are Still the Weakest Link in DeFi
This isn’t a new problem—it’s the same structural flaw that powered the Ronin Bridge ($625M, 2022), Wormhole ($320M, 2022), and Nomad ($190M, 2022). Cross-chain bridges custody massive liquidity and rely on a messaging layer that, when compromised, unlocks everything at once. LayerZero’s OFT standard is widely used because it’s simple. That simplicity is also the vulnerability.
Kelp DAO had a prior incident in April 2025—a fee-contract bug that led to unintended rsETH minting. The protocol paused and reported no user funds were lost. This time, the funds are gone. Kelp’s first public statement came roughly three hours after the attack, according to CoinCentral, raising questions about incident response speed. No recovery plan has been announced.
The broader DeFi hack wave in 2026—CoW Swap, Zerion, Rhea Finance, Silo Finance, and now Kelp DAO—shows that cross-chain composability remains a multi-billion-dollar liability. The attacker funded their exploit wallet through Tornado Cash, converted approximately $250 million of stolen rsETH to ETH per Cyvers tracking, and still holds significant positions across lending protocols. Kelp DAO has not disclosed how the attacker bypassed the bridge’s validation logic.
