Wu Blockchain reports that Kelp DAO has suffered a massive cross-chain exploit that drained approximately 116,500 rsETH, valued at nearly $292 million. The incident raises fresh concerns about the protocol’s security, coming less than a year after a previous disruption tied to a smart contract bug
Kelp DAO Response Prevents Additional Exploit Attempts
According to blockchain data, the attack on the Kelp DAO exploited a weakness in cross-chain communication, specifically targeting the bridge mechanism used to transfer assets across networks. The exploit was executed via a call to the “Iz Receive” function on LayerZero’s EndpointV2, which ultimately triggered the release of funds to an attacker-controlled wallet.
On-chain sleuth ZachXBT was among the first to uncover the breach, estimating losses exceeding $280 million across Ethereum and Arbitrum. The blockchain investigator also noted that the attack addresses had been initially funded via Tornado Cash, indicating a deliberate effort to conceal the funding sources for the highly coordinated attack.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you...
— Kelp (@KelpDAO) April 18, 2026
In response to this attack, Kelp DAO implemented an immediate halt to all rsETH contracts across its mainnet and connected L2 networks. The protocol also froze activity across its core contracts and systems that cover deposits, withdrawals, and oracle functions. According to Kelp DAO, an ongoing investigation is underway with LayerZero and Unichain.
Notably, the attacker attempted two additional transactions to drain another 40,000 rsETH, worth close to $100 million. However, Kelp DAO’s swift measures ensured both attempts failed, preventing losses from rising to $391 million.
Aave Freezes rsETH Contracts
In other news, the fallout has quickly spread beyond Kelp DAO, with lending protocols feeling immediate pressure. Aave, one of the largest DeFi lending platforms, responded by freezing rsETH markets across its V3 and V4 deployments.
However, Aave has clarified that its own smart contracts were not exploited, and the measure is purely precautionary to limit further debt exposure to rsETH as they assess the situation. Aave management is also committed to evaluating potential mitigation strategies if any bad debt emerges from the exploits.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH...
— Aave (@aave) April 18, 2026
rsETH itself is a liquid restaking token designed to represent staked ETH while enabling users to earn additional yield through restaking strategies. It plays a key role in cross-chain DeFi, allowing capital to move seamlessly across multiple networks, including Arbitrum, Base, and Scroll. The scale of the exploit is particularly damaging as the stolen funds represent roughly 18% of rsETH’s total circulating supply, representing a significant hit to both liquidity and user confidence.
