Kelp DAO Exploited for Nearly $300 Million in Major DeFi Attack
Severity: High (Score: 66.2)
Sources: Dlnews, Theblock.Co
Summary
On April 18, 2026, Kelp DAO's LayerZero-powered cross-chain bridge was exploited, resulting in the theft of approximately 116,500 rsETH, valued at around $292 million. The attack was initiated by an attacker-controlled wallet that triggered the bridge contract to release the funds. The attacker funded their wallet using Tornado Cash, a common obfuscation tool in decentralized finance (DeFi) exploits. Kelp DAO responded by pausing all rsETH contracts to prevent further losses. The exploit represents about 18% of the circulating supply of rsETH, which is deployed across multiple networks. Following the incident, the price of AAVE dropped by 10%, raising concerns about potential bad debt linked to the exploit. This marks the second significant security incident for Kelp DAO in a year, following a previous bug in April 2025 that did not result in user fund losses. The situation remains under investigation, and Kelp DAO has not yet issued a detailed public statement. Key Points: • Kelp DAO lost approximately $292 million in a cross-chain bridge exploit. • The attacker used Tornado Cash to obfuscate the source of funds. • Kelp DAO paused all rsETH contracts to mitigate further losses.