$292 Million Gone in 46 Minutes: DeFi's Biggest Hack of 2026

At 17:35 UTC on Saturday, an attacker sent a message. A fake one. Forty-six minutes later, $292 million in restaked ether was gone—and the wreckage was spreading across 20 blockchains faster than Kelp DAO could hit pause.

What Happened, Exactly

Kelp DAO is a liquid restaking protocol. Users deposit ETH, the protocol routes it through EigenLayer to earn additional yield on top of standard Ethereum staking rewards, and issues rsETH—a tradeable receipt token—in return. To make rsETH usable across the broader DeFi ecosystem, Kelp deployed it on more than 20 networks including Base, Arbitrum, Linea, Blast, Mantle and Scroll, using LayerZero's OFT standard to handle cross-chain movement.

The bridge holding rsETH reserves—the collateral backing every wrapped version of the token on every layer-2 network—was the attack surface.

The attacker forged a cross-chain message, convincing LayerZero's messaging layer that a valid instruction had arrived from another network. The bridge believed it. It released 116,500 rsETH to an attacker-controlled address. At current prices, that's roughly $292 million—approximately 18% of rsETH's entire circulating supply of 630,000 tokens.

Kelp's emergency multisig froze core contracts at 18:21 UTC, 46 minutes after the drain. Two follow-up attempts at 18:26 and 18:28 UTC both reverted—each carrying the same LayerZero packet trying to pull another 40,000 rsETH (~$100 million). The attackers pushed their luck. It didn't work the second time.

Kelp DAO's first public acknowledgment came at 20:10 UTC—nearly three hours after the exploit. The protocol said it was investigating alongside LayerZero, Unichain, its auditors, and outside security specialists. It has not yet disclosed how the bridge's validation logic was bypassed.

The Contagion Map

Sponsored

Advertise with Us

[email protected]

Sponsored

When the reserve backing rsETH across 20+ chains disappears, the question for every holder outside Ethereum mainnet becomes immediate and uncomfortable: does my token have anything underneath it?

That uncertainty triggered a cascade. Aave froze rsETH markets on both V3 and V4 within hours. Founder Stani Kulechov confirmed Aave's own contracts were untouched, but AAVE token fell roughly 10% as markets priced in potential bad debt exposure. SparkLend and Fluid froze their rsETH markets. Lido Finance paused further deposits into its earnETH product—which carries rsETH exposure—while clarifying that stETH, wstETH, and its core staking protocol are entirely unaffected.

Ethena moved preemptively, pausing its LayerZero OFT bridges from Ethereum mainnet for approximately six hours while the root cause was identified. The stablecoin issuer said it has no rsETH exposure and remains more than 101% overcollateralized—but paused anyway, a telling sign of how rattled the broader ecosystem was.

This now stands as the largest DeFi exploit of 2026, edging past the ~$285 million drained from Solana-based perpetuals protocol Drift on April 1 in an attack later linked to North Korea-affiliated actors.

Why Bridges Keep Breaking

This isn't a new story. Ronin ($625 million, 2022). Wormhole ($320 million, 2022). Nomad ($190 million, 2022). And now Kelp DAO. Cross-chain bridges are the most consistently exploited infrastructure in DeFi—and the reason is structural, not incidental.

A bridge is an interpreter between blockchains that speak different languages. The critical question it must answer is: is this instruction real? When the validation logic answering that question has a flaw—even a subtle one—an attacker can craft a message that looks legitimate enough to pass. LayerZero itself is widely regarded as robust messaging infrastructure. What likely failed here was the application layer sitting on top of it: Kelp's specific implementation of the bridge. The exact vulnerability hasn't been disclosed.

What makes 2026 particularly striking is the pace. CoW Swap, Zerion, Rhea Finance, Silo Finance—at least a dozen protocols have been exploited in recent weeks. Whether this reflects a coordinated campaign, opportunistic actors emboldened by a bull market, or simply the growing attack surface of an increasingly complex DeFi stack is still unclear.

For rsETH holders specifically, the immediate question is whether the peg holds through the weekend. That depends on how many cross-chain holders attempt to redeem into ETH on mainnet—and whether panic redemptions force Kelp to unwind restaking positions faster than it can manage. Any recovery of stolen funds before they're laundered through Tornado Cash would help, but the window is narrow.