A cross-chain bridge that holds nearly a fifth of a resumed ether token’s circulating supply has just been drained, and the fallout is moving through DeFi faster than the Kelp DAO can pause contracts.
An attacker drained 116,500 rsETH (reclaimed ether) from Kelp DAO’s LayerZero powered bridge at 17:35 UTC Saturday, worth about $292 million at current prices and representing about 18% of rsETH’s 630,000 supply circulating at the Coin token.
LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send confirmed instructions to each other. Kelp DAO is a floating restaking protocol that takes user-deposited ETH, routes it through EigenLayer to earn extra dividends on top of standard Ethereum stake rewards, and issues rsETH as a tradable receipt.
The bridge that was drained contained the rsETH reserve backing wrapped versions of the token installed on more than 20 other blockchains.
The attacker tricked LayerZero’s cross-chain messaging layer into thinking a valid instruction had arrived from another network, triggering Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.
Kelp’s emergency pause multisig froze the protocol’s core contracts 46 minutes after the successful drain, at 18:21 UTC. Two follow-up attempts at 18:26 UTC and 18:28 UTC both returned, each with the same LayerZero package attempting another 40,000 rsETH drain worth approx. $100 million.
rsETH is deployed across more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle and Scroll, with LayerZero’s OFT standard handling the cross-chain movement.
The rsETH held in the bridge were the reserve backing wrapped versions on each layer 2 blockchain or network that runs on top of Ethereum.
With this reserve drained, holders on non-Ethereum implementations now face the question of whether their tokens have anything underneath them, creating a feedback loop where panic redemptions on L2s squeeze the unaffected Ethereum supply, potentially forcing Kelp to liquidate recapture positions to honor withdrawals.
The list of infections is long and still growing.
Aave froze the rsETH markets on V3 and V4 within hours, with founder Stani Kulechov confirming that the exploit was external and Aave’s contracts were not compromised. SparkLend and Fluid froze their rsETH markets.
AAVE fell about 10% as the market priced in potential losses on receivables.
Lido Finance paused further deposits into its earnETH product, which carries rsETH exposure, while clarifying that stETH and wstETH are unaffected and that the central Lido staking protocol is not involved in the incident.
Athena temporarily paused its LayerZero OFT bridges from the Ethereum network as a precaution, saying it has no rsETH exposure and remains more than 101% oversecure. The stablecoin issuer said the outage would last about six hours while the cause is identified.
Kelp, a product under the KernelDAO umbrella, acknowledged the incident in its first public X post at 20:10 UTC, almost three hours after the drain. The protocol said it investigated with LayerZero, Unichain, its auditors and outside security specialists. It has not revealed how the exploit bypassed the bridge’s validation logic.
Whether rsETH holds onto the weekend will depend on how much of the cross-chain float tries to redeem for ETH on Ethereum and whether Kelp can recover any portion of the stolen funds before the Tornado Cash trail goes cold.
The hack lands in an unusually hostile stretch for DeFi. The Solana-based perpetuals protocol Drift was drained of about $285 million on April 1 in an attack later linked to North Korea-linked actors, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance and Silo Finance.
Kelp’s $292 million loss is now the biggest DeFi exploit in 2026, overtaking Drift by a few million dollars.
