Exploit Hits Kelp DAO’s rsETH Bridge
Less than 24 hours after attackers targeted infrastructure linked to Kelp DAO, the fallout spread far beyond the initial breach. The exploit centered around a cross-chain bridge built on LayerZero, which enables the transfer of rsETH-a liquid staking token-between networks.
According to on-chain data flagged by PeckShield, around 116,500 rsETH-valued at roughly $291 million-was moved to a fresh wallet shortly before the situation escalated.
At the same time, Kelp DAO confirmed it had paused all rsETH contracts across Ethereum mainnet and multiple layer-2 networks, signaling that something had gone seriously wrong inside the bridge mechanism.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
— Kelp (@KelpDAO) April 18, 2026
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
— Kelp (@KelpDAO) April 18, 2026
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
The Real Attack Vector: Draining Aave
What makes this exploit different is how the attacker extracted value.
Instead of simply walking away with bridged assets, the attacker used the compromised rsETH to interact with Aave, one of the most established lending platforms in crypto.
By depositing the manipulated rsETH as collateral, the attacker borrowed real assets from Aave, effectively turning synthetic or improperly issued tokens into actual liquidity.
This is where the damage truly began.
Liquidity Collapse: Aave Hits 100% Utilization
As the borrowed funds drained liquidity, Aave’s lending pools started to lock up.
Data showed that the utilization rate for a core pool spiked to 100%, meaning there was no liquidity left for users trying to withdraw.
Depositors who had supplied ETH or wrapped ETH suddenly found themselves stuck, unable to access their funds. In response, Aave moved quickly to freeze markets tied to rsETH, attempting to contain the damage before it spread further.
Secondary Effects Make Things Worse
The situation didn’t stabilize-it escalated.
Users who couldn’t withdraw began borrowing stablecoins against their locked positions, trying to create liquidity manually. According to monetsupply.eth from Spark, this behavior created “negative secondary effects”, adding even more stress to already drained pools.
Meanwhile, panic spread across the ecosystem.
$6.2 Billion Exit: DeFi Contagion Begins
The exploit didn’t stay isolated to Kelp DAO or Aave.
According to data shared by DefiLlama, users withdrew a staggering $6.2 billion from Aave in a short period as fear took over.
Even protocols that had no direct exposure to the exploit saw heavy outflows, showing how quickly confidence can break in DeFi once liquidity risk appears.
How the Exploit Likely Worked
Early analysis points to a single point of failure inside the bridge logic.
Blockchain researcher Stacy Muur explained that the attacker used a “phantom message” to trick the system.
This allowed the bridge to release rsETH on Ethereum without properly removing or locking the corresponding tokens on another chain, specifically Ethereum layer-2 Unichain.
In simple terms, the attacker created a situation where:
- tokens were minted or unlocked improperly
- collateral appeared valid
- but underlying backing didn’t exist
That mismatch is what enabled the attacker to extract real funds from Aave.
Market Impact Hits Fast
The market reacted immediately.
Aave’s governance token dropped to $90.13, down 16% in 24 hours, while Ethereum slipped roughly 2%, reflecting broader concern around DeFi risk exposure.
At the same time, rsETH itself-normally a stable representation of staked ETH-became a source of systemic risk instead of yield.
What rsETH Actually Represents
To understand the scale of the issue, it’s important to look at the asset at the center of it.
rsETH is issued by Kelp DAO as a liquid staking receipt, allowing users to earn rewards from Ethereum staking and EigenLayer restaking while still maintaining liquidity.
Under normal conditions, it acts as a composable DeFi asset.
In this case, that composability turned into a vulnerability.
Emergency Responses and Unusual Moves
As the situation unfolded, responses ranged from technical containment to public negotiation.
Kelp DAO paused contracts and began investigating. Aave froze affected markets. But one of the more unusual reactions came from Justin Sun, who publicly addressed the attacker:
The message reflects a growing reality in crypto-sometimes recovery depends as much on negotiation as on code.
A Structural Weakness Exposed
This incident highlights a critical pattern in DeFi: bridges + composability = amplified risk
A single vulnerability in a bridge didn’t just affect one protocol. It:
- created synthetic collateral
- drained a major lending platform
- triggered liquidity freezes
- caused billions in withdrawals
Even battle-tested systems like Aave were pulled into the blast radius.
The Kelp DAO exploit is another reminder that in DeFi, the weakest component defines the risk of the entire system.
