A $292 million exploit at KelpDAO caused a broad pullback across the decentralized finance sector this weekend, wiping out about $10 billion from the DeFi industry and forcing multiple protocols to freeze markets tied to rsETH.
The breach began late Saturday when an attacker drained approximately 116,500 rsETH from KelpDAO’s chain bridge. The stolen tokens were worth approximately $292 million at the time CryptoSlate facts.
KelpDAO issues rSETH to users who deposit ETH into its liquid withdrawal system. The platform then stakes this ETH via the resttaking platform EigenLayer to generate additional returns on top of the standard stake returns.
KelpDAO’s loss now ranks as the largest DeFi exploit of 2026 in the report, surpassing previous attacks this year.
How KelpDAO was operated for $292 million
rsETH circulates across the broader market via LayerZero, a cross-chain messaging network that moves instructions and assets between blockchains.
Yearn Finance core developer Banteg explained that the exploit reached the route connecting Unichain to the Ethereum mainnet.
According to the on-chain analyst, the attacker pushed a fraudulent message that the system accepted as valid, prompting the Ethereum-side adapter to release pre-funded rsETH reserves.
This route was configured as a one-to-one decentralized verifier network path with no secondary verifiers that could have flagged the transaction.
Banteng stated that the malicious transaction, identified as nonce 308, was verified and delivered at 17:35 UTC.
After the attack, the KelpDAO’s multi-signature contingency wallet froze the protocol’s core contracts. This blocked two more attempts that together could have removed about another $100 million worth of rsETH.
The initially stolen money was moved through Tornado Cash, obscuring the trail before the protocol’s response could contain the damage.
Meanwhile, depleted reserve-backed packaged rsETH circulated across secondary networks including Base, Arbitrum, Linea, Blast, Mantle, and Scroll. Once these reserves were depleted, users holding Ethereum rETH faced increasing uncertainty about redemption and support.
And that pressure was soon extended to the rest of the market.
Aave takes the hardest blow
The strongest aftershock hit Aave, the largest crypto lending platform, where the attacker is said to have deposited the stolen rsETH as collateral.
During the attack period, Aave’s price oracles continued to read rsETH near its normal peg, allowing the protocol to issue 106,467 ETH against the compromised collateral.
This left the platform facing potential bad debt exposure worth $236 million, leading to an exit rush.
Facts from DeFiLlama showed that the total value of Aave dropped from over $26 billion to around $20 billion as users withdrew funds.
The pullback amounted to one of the sharpest pullbacks on the platform in recent history and turned a bridging exploit into a liquidity event for the largest lending platform in DeFi.
On-chain analysts revealed that major ETH holders on the DeFi platform accelerated the move.
For context: TRON founder Justin Sun reportedly has withdrawn more than 65,580 ETH in one transaction, worth approximately $154 million.
As these types of withdrawals increased, Aave’s ETH usage rate reached 100%, leaving all available Ether on the platform, either borrowed or withdrawn.
Meanwhile, the pressure also affected the market price of Aave. The AAVE governance token fell more than 18% as traders priced in the possibility of bigger losses.
This was further exacerbated by heavy selling of large AAVE portfolios. Blockchain analytics platform Lookonchain reported that one entity, identified as smaugvision, sold more than 20,000 AAVE for $2.06 million, while another investor sold a similar amount for $2.05 million. A third whale sold almost 19,700 AAVE in exchange for wrapped Bitcoin and ETH.
In response to these issues, Aave froze the rsETH markets on both V3 and V4. The founder of the platform Stani Kulechov declared on X:
“rsETH is frozen on Aave V3 and V4, the asset does not have any borrowing power as a benchmark due to the KelpDAO bridge exploit that occurred outside of Aave. Both Aave V3 and V4 have no further exposure to rsETH.”
Contagion is spreading across DeFi
In addition to Aave, other DeFi protocols also experienced significant withdrawals of their platforms as a result of the attack.
0xngmi, the pseudonymous founder of DeFiLlama, reported that the incident caused a $10 billion drop in the DeFi sector. This includes the $6 billion exodus from Aave.
Notably, data from DeFiLlama shows that TVL for DeFi protocols has fallen 10%, from approximately $99 billion on April 18 to $89 billion at the time of writing.
Meanwhile, the incident has also led to several DeFi platforms taking swift action to reduce their exposure to the controversial rsETH token.
DeFi analyst Ignas marked eight additional DeFi protocols, including Lido, SparkLend, Fluid, Compound, and Euler, froze their rSETH lending markets.
He added:
“I imagine LayerZero is probably also affected because rsETH was shunted from L2s, so I wonder if those rsETH on L2s aren’t worthless at this point.”
Meanwhile, Ethena, the developer of the synthetic US Dollar, has temporarily suspended its LayerZero bridges as a precaution while to report that it had no exposure to rsETH.
These moves reflected how widely rsETH was embedded in DeFi, as it was heavily used in credit markets, vault products, and collateral strategies that relied on smooth interchain transfers and reliance on reserve backing.
As that confidence waned, protocols shifted to shielding risks before further pullbacks or price dislocations could compound the damage.
The tension also exposed the speed with which capital can move once the quality of collateral is questioned. A bridging exploit in one location was enough to send shockwaves through multiple markets within hours, forcing platforms to suspend operations even if their own contracts had not been directly violated.
Crypto community calls for solution to DeFi bridge hacks
Jonathan Man, Head of Multi-Strategy Solutions & DeFi Strategies at Bitwise, said:
“This is another setback, but we can bounce back stronger. We as an industry must improve collectively to ensure we build the future of finance on a solid foundation.”
Meanwhile, the KelpDAO exploit also sparked a broader discussion about how lending protocols and token issuers can limit the damage from hacks that target bridged or thinly traded assets.
Keone Hon, co-founder of Monad, said Pooled lending protocols should consider imposing interest rate limits on the rate at which assets can be deposited and used as collateral.
Under that model, an asset with a current circulating supply of $100 million and a formal cap of $300 million wouldn’t be able to jump to the full cap in one fell swoop. Instead, the supply in the system would gradually increase over a period of time, such as 10 minutes or a few hours.
Hon said this approach would reduce the available exit paths when an exotic asset is exploited, especially in cases involving infinite bugs.
He argued that the size of the loss is often determined less by the currency itself than by how much of the compromised assets can be offloaded to credit platforms or other liquid exits before markets react.
In that context, large credit protocols become the main outlet, because decentralized exchange liquidity is often too limited to absorb a large exploit.
He added that asset issuers should also have an interest in stricter limits, especially when issuing receipts with delayed repayment. In those cases, the issuer is not necessarily exposed to immediate redemption pressure from an attacker, but still benefits when downstream exit routes remain limited.
Hon pointed to the Hyperbridge DOT exploit and the Resolv incident as examples where losses remained at more catastrophic levels because the available paths to exit the compromised asset were limited.
Guy Young, founder of Ethena, endorsed That position and the said issuers should consider adding rate caps to the coin and redemption layer, as well as custom caps on top of LayerZero’s OFT standard.