The attack unfolded on Saturday, 18th April 2026, at 17:35 UTC. The perpetrators cleverly exploited Kelp DAO's bridge, which relies on LayerZero's cross-chain messaging infrastructure. They successfully tricked the system into authenticating a fraudulent instruction, leading to the transfer of a substantial amount of rsETH to an address under their control.
Kelp DAO’s rsETH is a receipt token issued to users who deposit Ethereum (ETH) for 'liquid restaking.' This process allows users to earn additional yield on top of standard Ethereum staking rewards through EigenLayer. The drained bridge held the crucial reserves that backed wrapped versions of rsETH across more than 20 different blockchains, including major networks like Base, Arbitrum, Linea, Blast, Mantle, and Scroll.
The immediate aftermath of the exploit saw a rapid response from various DeFi protocols. Aave, SparkLend, and Fluid, among others, initiated market freezes to mitigate potential broader contagion. This highlights the interconnected nature of the DeFi landscape and the domino effect such large-scale hacks can have.
Concerns are now mounting regarding the stability of the rsETH peg and Kelp DAO's ability to facilitate redemptions. With the reserves backing wrapped rsETH on numerous layer 2 networks now depleted, the integrity of these assets for holders outside the Ethereum mainnet is under intense scrutiny. This incident underscores the inherent risks associated with cross-chain bridges and the critical need for robust security measures.
Following the initial drain, Kelp's emergency pauser multisig successfully froze the protocol's core contracts within 46 minutes at 18:21 UTC. Two subsequent attempts by the attacker to drain an additional 40,000 rsETH, valued at approximately £80 million, were thwarted, demonstrating the swift action taken by the protocol to limit further damage. This incident serves as a stark reminder of the persistent threats within the DeFi space and the constant battle between innovation and security.
