A cross-chain bridge exploit at Kelp DAO on April 18 drained about 116,500 rsETH, worth nearly $293 million, and triggered a rapid response across decentralized finance platforms. The breach affected a token widely used in lending and liquidity markets, prompting freezes, pauses, and fresh concern over cross-protocol exposure.
Kelp DAO said it detected “suspicious cross-chain activity involving rsETH” after an attacker exploited infrastructure tied to its LayerZero-powered bridge. The stolen amount reached about 116,500 rsETH, with estimates placing the loss near $293 million. The incident became the largest DeFi exploit recorded in 2026.
Kelp DAO runs a liquid restaking protocol. Users deposit assets such as stETH or cbETH and receive rsETH in return. They can then use rsETH across decentralized applications while continuing to earn staking-related rewards. Because rsETH circulates across more than 20 blockchain networks, the breach spreads risk beyond one protocol within hours.
Reports around the incident said the attacker funded a wallet through Tornado Cash before the exploit. The exploit targeted the bridge communication layer and caused the system to release rsETH to the attacker. Kelp DAO later paused rsETH contracts across Ethereum mainnet and several layer-2 networks while it investigated the incident with LayerZero, auditors, and security teams.
Cyvers described the event as “not just a protocol exploit” and said it became a cross-protocol contagion event. The security firm added that at least nine other platforms faced direct or indirect exposure because rsETH had already been integrated into lending, trading, and liquidity systems.
Aave froze rsETH-related markets after the exploit to stop new deposits and new borrowing against rsETH collateral. The protocol said the freeze was meant to contain further damage while teams reviewed current exposure. Existing positions remained open, but concern grew over possible bad debt tied to rsETH-backed borrowing.
Market reaction followed quickly. Aave’s token fell during Asian trading hours after news of the exploit spread, while rsETH-related activity increased as users adjusted positions. Aave later said it was reviewing rsETH borrows made after the exploit and would share more details after the assessment.
Other platforms also moved to reduce risk. SparkLend, Fluid, and Upshift froze rsETH markets, while Kelp DAO activated an emergency pause. Cyvers’ Chief Technology Officer Meir Dolev said the protocol was “just three minutes away from losing an additional US$100 million” before blacklist measures blocked another attempt.
The breach showed how risk can move quickly through DeFi when one token is widely reused. rsETH had been used as collateral for loans and as liquidity across multiple services. Once the exploit hit, several connected platforms had to react within a short period.
The Kelp DAO exploit added to a rising list of crypto security incidents in April. Figures included in the provided information put total losses for the month above $605 million across at least 12 attacked businesses and protocols. The Kelp incident moved ahead of the earlier Drift exploit and became the largest DeFi breach of the year.
Other incidents for the month included the Drift exploit, losses tied to Grinex, the Hyperbridge attack, and an attempted bridge attack involving Aethir. The attacks used different methods, but several involved bridges, verification systems, or operational weaknesses in crypto infrastructure.
Kelp DAO now faces an investigation into how the exploit occurred and how affected users may be addressed. Aave and other platforms continue to review exposure linked to rsETH positions. The April 18 breach also showed how losses in one protocol can spread quickly when the same asset is used across many DeFi applications.
Also Read: Why XRP Might Surge in April 2026