Multiple on-chain security companies and industry sleuths reported late on Saturday that the liquid restaking protocol KelpDAO had fallen victim to a major hack in which the perpetrators drained nearly $300 million.
The team behind the project confirmed the incident hours later, and added that they have partnered with LayerZero, Unichain, their auditors, and ‘top security experts’ to resolve the issue.
The Biggest Hack of 2026
Cyvers was among the security resources that detected the breach in its initial phase and later provided a more detailed explanation of what happened. According to a post they shared with クリプトポテト, the attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token, rsETH.
The bad actor moved quickly after taking hold of the funds and swapped them into ETH. They spread them across Ethereum and Arbitrum, with the on-chain activity showing that the attacker split the funds into two batches: $178 million on the former and $72 million on the layer-2 chain.
The stolen rsETH was deposited into lending protocols like Aave V3, Compound V3, and Euler. By using the illicitly obtained funds, they borrowed substantial amounts of WETH, creating more than $236 million in debt.
Cyvers explained that an attacker can end up creating unbacked rsETH and then use it to borrow real assets like ETH, which is “exactly how this kind of exploit blows up so fast.” The security experts added that this immediately became a cross-protocol contagion event, not just a single protocol exploit. Such assets that are deeply integrated across lending, vaults, and liquidity protocols are particularly susceptible to similar incidents, and one failure “does not stay contained.”
“It spreads instantly, creating bad debt, forcing market freezes, and impacting multiple platforms at once.”
Aave V3 froze rsETH markets, SparkLend froze exposure, while Fluid, Compound, Euler, and others moved to contain risk. Cyvers said that at least 9 protocols were affected.
KelpDAO Talks
The project’s official X account confirmed the breach after they had “identified suspicious cross-chain activity involving rsETH.” They said they paused those contracts across the mainnet and several layer-2s as the investigation continued.
Although they are working with LayerZero, Unichain, auditors, and other security experts on the matter, there hasn’t been another update in the past 10 hours as of press time on what’s next and what users might expect.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
KelpDAO’s hack became the largest in the industry so far in 2026, surpassing the previous ‘record-holder’, Drift Protocol, whose exploit was for $280 million.
ポスト The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit に初登場した。 クリプトポテト.
日本語 
English 
Română 
Eesti 
한국어 
Русский 
Deutsch 
Español 
简体中文 
Français 
繁體中文 
Português 
Italiano 
Polski 
Türkçe 
Nederlands 
Bahasa Indonesia 
Ελληνικά 
Українська 
Български 
Čeština 
Suomi 
Magyar 
Latviešu valoda 
Lietuvių kalba 
Norsk bokmål 
Slovenčina 
Slovenščina 
Svenska
コメントを残す