Kelp DAO Exploit: $293M Drain from DeFi Bridge
Severity: High (Score: 66.0)
Sources: Tipranks, Cryptopotato, Theblock.Co, Dlnews, Mexc.Co
Summary
On April 18, 2026, Kelp DAO's rsETH bridge was exploited, resulting in the theft of approximately $293 million worth of rsETH. The attacker used a wallet funded through Tornado Cash, draining 116,500 rsETH from the LayerZero-powered cross-chain bridge. Following the exploit, Kelp DAO paused all rsETH contracts across Ethereum and multiple Layer-2 networks to prevent further losses. Aave also froze rsETH markets on its platforms in response to the incident. The exploit represents a significant risk to the DeFi ecosystem, affecting at least nine protocols. The attacker has reportedly converted around $250 million of the stolen assets to ETH. This incident marks the largest single protocol hack of 2026 and highlights vulnerabilities in cross-chain bridge infrastructure. Kelp DAO is currently investigating the incident with assistance from security experts. As of now, the situation remains fluid, with potential liquidation risks for users holding rsETH collateral. Key Points: • Kelp DAO lost approximately $293 million in a cross-chain bridge exploit. • The attacker funded their wallet through Tornado Cash and converted stolen assets to ETH. • Aave and other protocols froze markets to mitigate the impact of the exploit.