A cross-chain bridge holding nearly a fifth of a restaked ether token’s circulating supply just got drained, and the fallout is moving through DeFi faster than Kelp DAO can pause contracts.
An attacker drained 116,500 rsETH (restaked ether) from Kelp DAO’s LayerZero-powered bridge at 17:35 UTC on Saturday, worth roughly $292 million at current prices and representing about 18% of rsETH’s 630,000 token circulating supply tracked by CoinGecko.
LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquid restaking protocol, which takes user-deposited ETH, routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH as a tradeable receipt.
The bridge that was drained held the rsETH reserve backing wrapped versions of the token deployed on more than 20 other blockchains.
The attacker tricked LayerZero’s cross-chain messaging layer into believing a valid instruction had arrived from another network, which triggered Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.
Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both reverted, each carrying the same LayerZero packet attempting another 40,000 rsETH drain worth roughly $100 million.
rsETH is deployed across more than 20 networks including Base, Arbitrum, Linea, Blast, Mantle and Scroll, with LayerZero’s OFT standard handling the cross-chain movement.
The rsETH held in the bridge was the reserve backing wrapped versions on every layer 2 blockchain, or networks that run atop Ethereum.
With that reserve drained, holders on non-Ethereum deployments now face the question of whether their tokens have anything underneath them, which creates a feedback loop where panic redemptions on L2s pressure the unaffected Ethereum supply, potentially forcing Kelp to unwind restaking positions to honor withdrawals.
The contagion list is long and still growing.
Aave froze rsETH markets on V3 and V4 within hours, with founder Stani Kulechov affirming the exploit was external and Aave’s contracts were not compromised. SparkLend and Fluid froze their rsETH markets.
AAVE fell about 10% as the market priced potential bad debt.
Lido Finance paused further deposits into its earnETH product, which carries rsETH exposure, while clarifying that stETH and wstETH are unaffected and the core Lido staking protocol has no involvement in the incident.
Ethena temporarily paused its LayerZero OFT bridges from Ethereum mainnet as a precaution, saying it has no rsETH exposure and remains more than 101% overcollateralized. The stablecoin issuer said the pause would last roughly six hours while the root cause is identified.
Kelp, a product under the KernelDAO umbrella, acknowledged the incident in its first public X post at 20:10 UTC, nearly three hours after the drain. The protocol said it was investigating with LayerZero, Unichain, its auditors and outside security specialists. It has not disclosed how the exploit bypassed the bridge’s validation logic.
Whether rsETH holds peg through the weekend depends on how much of the cross-chain float tries to redeem into ETH on Ethereum and whether Kelp can recover any portion of the stolen funds before the Tornado Cash trail goes cold.
The hack lands in an unusually hostile stretch for DeFi. Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-affiliated actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.
Kelp’s $292 million loss is now the largest DeFi exploit of 2026, overtaking Drift by a few million dollars.
