Kelp DAO Exploited for $293M in Largest DeFi Hack of 2026
James Ding
Apr 18, 2026 22:32
Kelp’s rsETH bridge drained of $293M as attacker converts stolen funds to ETH. Aave freezes markets, nine protocols impacted in cascading DeFi crisis.
Kelp DAO’s rsETH adapter bridge was exploited Saturday for approximately $293 million, marking the largest single protocol hack of 2026 and triggering emergency freezes across at least nine DeFi platforms with exposure to the liquid restaking token.
The attacker funded their wallet through Tornado Cash and has already converted roughly $250 million of the stolen assets to ETH, according to blockchain security firm Cyvers. Kelp has paused rsETH contracts on Ethereum mainnet and multiple Layer-2 networks while investigating.
Contagion Spreads Across DeFi
Aave moved quickly to freeze rsETH markets on both V3 and V4 deployments. The lending protocol’s AAVE token dropped 10% following the news, while ETH fell 3.74% to $2,401.60 amid broader market jitters.
“This is exactly the kind of incident that highlights the risks of composability in DeFi,” Cyvers CEO Deddy Lavid told Cointelegraph. When one protocol’s token is integrated across multiple platforms, a single exploit can cascade through the entire ecosystem.
Kelp DAO, founded by Stader Labs co-founders Amitej Gajjala and Dheeraj Borra, lets users deposit liquid staking tokens like stETH to receive rsETH—a token that earns yields from both Ethereum staking and EigenLayer services. That deep integration made rsETH attractive for yield strategies but also created systemic risk.
Second Major Exploit This Month
The Kelp hack follows Drift Protocol’s $280 million exploit earlier in April. Drift’s post-mortem revealed attackers spent months infiltrating the team after meeting developers at a crypto conference—a sophisticated social engineering campaign linked to suspected North Korean state hackers.
Combined with other incidents, Q1 2026 saw $482 million lost to hacks and scams. The Kelp exploit alone exceeds 60% of that quarterly total.
What Happens Next
Kelp hasn’t responded to press inquiries. For rsETH holders, options are limited while contracts remain paused. Users with rsETH collateral on frozen lending markets face potential liquidation risks if freezes lift before the situation stabilizes.
The attack vector—targeting a bridge adapter rather than core protocol logic—echoes previous high-profile exploits. Bridge contracts remain DeFi’s most vulnerable attack surface, handling cross-chain value transfers with complex security requirements.
Traders should monitor announcements from affected protocols and avoid interacting with rsETH-related contracts until Kelp provides clarity on the exploit’s scope and any potential recovery plans.
Image source: Shutterstock
