news

Kelp Restaking Hack Spreads Risk Across DeFi, $293M Drained

Nahid
Published: April 19, 2026
5 min read
Kelp Restaking Hack Spreads Risk Across DeFi, $293M Drained

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Make us preferred on Google

Summary:

  • Kelp's liquid restaking platform suffered a major exploit, with around $293 million drained.
  • The attack targeted the rsETH adapter bridge contract, prompting an immediate pause of smart contracts.
  • At least nine DeFi protocols were impacted, creating a wider "cross-protocol contagion."
  • Aave froze rsETH markets to limit further risk, while funds were rapidly converted to Ether.
  • The incident adds to a growing list of large-scale DeFi exploits in recent months.

The DeFi sector faced another major shock this weekend after the Kelp DAO platform confirmed suspicious activity tied to its restaking token, rsETH. Within hours, what initially looked like an isolated issue turned into a large-scale exploit affecting multiple protocols. Kelp moved quickly to contain the situation. In its statement, the team said:

"Earlier today, we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several Layer-2s" Source

The exploit targeted the rsETH adapter bridge contract - a key component responsible for handling the token moves across different chains. Once compromised, it allowed the attacker to manipulate and drain funds tied to the system. Blockchain security firm Cyvers provided a clearer picture of the scale. According to its real-time monitoring, the attacker managed to extract roughly $293 million from the protocol.

" 🚨 $293M EXPLOIT DETECTED: Cyvers AI systems have identified a massive attack on @KelpDAO . Our platform flagged the breach in real-time, tracking ~$293.7M drained from the protocol's RSETH Adapter. Currently, ~$250M has already been swapped to $ETH and is held across two chains" Source

The speed of the attack stood out. A large portion of the funds was quickly converted into Ethereum, making recovery more difficult. The attacker reportedly used a wallet funded through Tornado Cash, a tool often associated with obfuscating transaction trails.

Contagion Spreads Across DeFi

The rsETH is integrated into multiple protocols, the exploit didn't stay contained within Kelp. It quickly spread into what analysts described as a "cross-protocol contagion." At least nine platforms were exposed to the token in some form, forcing them to react almost immediately. One of the most notable responses came from Aave, which froze rsETH-related activity across its lending markets.

"The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited and this is an exploit related to rsETH. The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH collateral while the situation is assessed." Source

This kind of response highlights how interconnected DeFi has become. Assets like rsETH are often used as collateral, liquidity, or yield-bearing instruments across multiple platforms. When one part breaks, the effects can spread quickly. In simple terms, it's similar to a chain reaction. If a token used as collateral suddenly loses trust or value, it can trigger liquidations, freezes, or liquidity issues elsewhere. That's exactly what protocols tried to avoid by pausing activity early. Still, the incident raises a bigger question about how risk is managed across DeFi. While composability - the ability for protocols to connect and build on each other is one of the space's biggest strengths, it also creates shared points of failure.

READ MORE : MEV Bot Nets $9.9M After $50M AAVE Swap Goes Wrong, User Receives Only $36K

A Pattern Emerging in DeFi Exploits

The Kelp incident follows a series of major exploits that have hit the industry in recent months, including the $280 million breach at Drift Protocol. That attack, according to the Drift team, involved months of preparation and possible infiltration by sophisticated actors. While the technical details differ, the pattern is becoming familiar - attackers are targeting complex infrastructure layers like bridges, adapters, and cross-chain systems. These components are often the most difficult to secure. They handle communication between different blockchains, which adds layers of complexity and potential vulnerabilities.

In the case of Kelp, early indications suggest the attacker exploited the bridge verified or processed messages, allowing unauthorized control over token flows. While investigations are still ongoing, the structure of the attack points to a deeper issue with cross-chain design. For users, the impact is immediate - funds are locked, protocols pause operations, and uncertainty spreads. For developers and platforms, it's another reminder that security assumptions need constant review. At the same time, the response from protocols shows some level of maturity. Rapid freezes, coordinated communication, and real-time monitoring helped prevent further damage. But that doesn't fully offset the scale of the loss.

Where This Leaves Restaking and DeFi

Liquid restaking has grown quickly over the past year, offering users ways to earn additional yield on staked assets. Tokens like rsETH are central to that model, acting as representations of staked value that can be used elsewhere in DeFi. But this incident puts that model under pressure. When restaked assets are layered across multiple protocols, they create efficiency - but also risk concentration. A single exploit can impact not just one platform, but an entire network of integrations. That doesn't mean the model is broken. But it does mean the margin for error is smaller than it looks.

For now, Kelp has paused operations and is investigating the exploit. The broader ecosystem is doing the same - assessing exposure, limiting damage, and trying to understand how the attack happened in the first place. And as always in DeFi, the real test comes after the incident. How quickly systems recover, how transparently teams communicate, and how effectively risks are addressed will shape what happens next.

READ MORE: Nikita Bier Hints at Crypto Plans for X Platform

Related Topics

#Kelp Restaking#Kelp Hack#DeFi Hack#Hack

About the Project

Altcoins

About the Author

Nahid

Nahid

Nahid is a contributor at CotiNews from Bangladesh, covering developments across the COTI ecosystem. His work focuses on breaking down complex updates, technical concepts, and ecosystem news into clear, accessible stories for a wider audience.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.