A critical cross-chain exploit has rocked Kelp DAO, leading to the suspension of its protocol after attackers drained $292 million worth of rsETH in a single operation. The incident, attributed to a vulnerability linked to LayerZero integration, has triggered cascading effects across decentralized finance (DeFi) platforms connected to rsETH, forcing immediate emergency measures.
Massive rsETH drain prompts emergency freeze at Kelp DAO
Kelp DAO, a liquid restaking platform known for facilitating cross-chain rsETH transfers, confirmed the exploit took place at 17:35 UTC on Saturday. Attackers managed to extract approximately 116,500 rsETH, equivalent to around $292 million, through a targeted call to the “lzReceive” function within LayerZero’s EndpointV2 contract. This exploit persuaded Kelp’s bridge to release the assets to addresses under the attacker’s control.
Investigation revealed the plan was set in motion well in advance, with the attacker using Tornado Cash for funding roughly 10 hours before the breach, thereby enhancing transactional anonymity. Within an hour of the attack, Kelp DAO’s emergency team executed a full protocol pause, immediately halting key elements such as the rsETH token, LRT Deposit Pool, withdrawal modules, and oracle components to prevent further losses.
Following the main breach, the attacker attempted two additional drains, each worth about $50 million, but both were thwarted by the system’s suspended state. Without the intervention, total losses could have soared to nearly $391 million.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with LayerZero, Unichain, our auditors and top security experts on RCA. We will keep you…
Kelp DAO, established as a protocol for liquid restaking and cross-chain DeFi access, operates across more than 20 blockchain networks, including Arbitrum, Base, and Scroll. Its rsETH token represents a significant share of the protocol’s total value locked (TVL), with about 630,000 tokens in circulation before the incident.
DeFi ripple effects: Aave freezes rsETH to prevent bad debt
The exploit’s fallout rapidly reached other platforms, particularly Aave—a major decentralized lending protocol. Concern over exposure to compromised rsETH liquidity prompted a freeze of all rsETH markets on both Aave V3 and V4. This move came after AAVE’s price slid by 10%, highlighting the market’s anxiety over potential bad debt risks.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave’s contracts have not been exploited and this is an exploit related to rsETH. The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
Aave’s team reaffirmed that their smart contracts remained uncompromised, clarifying that the underlying issue was limited to the exploited rsETH asset. While discussions initially referenced potential recourse to the platform’s Umbrella safety module, subsequent updates indicated that options would be reassessed only if actual losses are realized through chained effects.
The stolen rsETH represents about 18% of the token’s circulating supply, amplifying concerns for both users holding the asset and protocols that use rsETH as collateral.
Recurring security troubles bring cross-chain bridge risks into focus
This marks the second major setback for Kelp DAO within twelve months. In April 2025, a bug affecting its fee contract led to unintended rsETH minting and triggered a temporary system pause, though no user funds were lost during that event.
Currently, rsETH is trading around $2,500, but price volatility has intensified amid uncertainty regarding Kelp DAO’s long-term stability. Co-founder Amitej Gajjala and the core team have yet to deliver detailed updates beyond ongoing technical investigations and collaborative efforts with LayerZero, Unichain, and external security experts.
The unprecedented scale of the exploit has spurred renewed debate about the inherent vulnerabilities in multi-chain bridge design across DeFi, with both users and protocols reevaluating their risk frameworks as officials pursue deeper forensic analysis and pursue recovery strategies.
