$292 Million Gone in 46 Minutes: Inside the Kelp DAO DeFi Hack

TLDR

Kelp DAO’s LayerZero-powered bridge was exploited on Saturday, draining 116,500 rsETH worth ~$292 million The attacker tricked LayerZero’s messaging layer into releasing funds to an attacker-controlled address About $250 million of stolen funds were converted to ETH; a Tornado Cash-funded address was used At least nine protocols froze rsETH markets, including Aave, SparkLend, and Fluid This is now the largest DeFi exploit of 2026, overtaking the Drift Protocol hack from April 1

---

An attacker drained 116,500 rsETH from Kelp DAO’s LayerZero-powered bridge on Saturday at 17:35 UTC, making off with roughly $292 million in crypto assets.

KelpDAO was exploited, with ~$294M stolen!

The attacker minted 116,500 $RSETH ($294M).

By selling $RSETH and using it as collateral to borrow $ETH, the attacker obtained 106,467 $ETH ($250M).https://t.co/hSZZ7Teffv pic.twitter.com/0GfWLIX7rK

— Lookonchain (@lookonchain) April 19, 2026

The stolen amount represents about 18% of rsETH’s total circulating supply of 630,000 tokens, according to data from CoinGecko.

Kelp DAO is a liquid restaking protocol. It takes user-deposited ETH, routes it through EigenLayer to earn extra yield, and issues rsETH as a tradeable receipt token.

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.

We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.

We will keep you…

— Kelp (@KelpDAO) April 18, 2026

The attacker tricked LayerZero’s cross-chain messaging layer into believing a valid instruction had arrived from another network. This caused Kelp’s bridge to release the funds to an attacker-controlled wallet.

Kelp’s emergency multisig paused the protocol’s core contracts 46 minutes after the drain, at 18:21 UTC. Two follow-up attempts to drain another 40,000 rsETH — worth roughly $100 million — were both blocked.

The stolen funds were moved through a Tornado Cash-funded address. About $250 million of the stolen rsETH had already been converted to ETH, according to blockchain security firm Cyvers.

Fallout Spreads Across DeFi

The bridge that was drained held the reserve backing wrapped rsETH on more than 20 blockchains, including Base, Arbitrum, Linea, Blast, and Scroll.

With that reserve gone, holders of rsETH on layer 2 networks now face uncertainty about whether their tokens are fully backed.

Aave froze rsETH markets on V3 and V4 within hours of the exploit. Aave’s token fell about 10% as markets priced in the risk of potential bad debt.

SparkLend and Fluid also froze their rsETH markets. Lido Finance paused deposits into its earnETH product, which carries rsETH exposure, while clarifying that its core staking protocol was not involved.

Ethena paused its LayerZero OFT bridges from Ethereum mainnet as a precaution for around six hours, saying it had no rsETH exposure.

Kelp posted its first public response at 20:10 UTC — nearly three hours after the attack. The protocol said it was working with LayerZero, Unichain, its auditors, and outside security specialists.

A Rough Stretch for DeFi in 2026

Cyvers CEO Deddy Lavid said the incident shows the risks of composability in DeFi, where protocols are deeply connected.

The Drift Protocol, a Solana-based platform, was drained of about $285 million on April 1 in an attack linked to North Korea-affiliated actors.

Smaller protocols including CoW Swap, Zerion, Rhea Finance, and Silo Finance have also been exploited in recent weeks.

Total crypto losses from hacks and scams reached approximately $482 million in Q1 2026, according to Cyvers.

The Kelp DAO exploit now stands as the largest DeFi hack of 2026, surpassing Drift by several million dollars.

Kelp has not disclosed how the attacker bypassed the bridge’s validation logic as of the time of publication.

The post $292 Million Gone in 46 Minutes: Inside the Kelp DAO DeFi Hack appeared first on CoinCentral.