A cross-chain bridge holding nearly a fifth of the re-staking Ethereum circulating supply has just been depleted, and the impact is spreading across DeFi faster than the Kelp DAO contract suspension.
At 17:35 UTC on Saturday, an attacker drained 116,500 rsETH (recollateralized Ethereum) from Kelp DAO’s LayerZero-powered bridge, worth about $292 million at current prices and about 18% of the 630,000 token circulating supply of rsETH tracked by CoinGecko.
LayerZero is a cross-chain messaging layer, or the infrastructure that lets different blockchains send verified instructions to each other. Kelp DAO is a liquidity restaking protocol that accepts user-deposited ETH, routes it through EigenLayer to earn additional yields on top of standard Ethereum staking rewards, and issues rsETH as tradable receipts.
Depleted Bridge holds rsETH reserves and supports wrapped versions of the token deployed on over 20 other blockchains.
The attacker tricked LayerZero’s cross-chain messaging layer into believing that valid instructions had arrived from another network, triggering Kelp’s bridge to release 116,500 rsETH to an attacker-controlled address.
Kelp’s emergency pauser multisig froze the protocol’s core contracts 46 minutes after it successfully exhausted itself (18:21 UTC). Two subsequent attempts at 18:26 and 18:28 UTC recovered, each carrying the same LayerZero packet, and the attempt again consumed 40,000 rsETH, worth approximately $100 million.
rsETH is deployed on more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle and Scroll, and uses LayerZero’s OFT standard to handle cross-chain movements.
The rsETH held in the bridge is a wrapped version of the reserve backing on every layer 2 blockchain or network running on Ethereum.
With reserves depleted, holders of non-Ethereum deployments are now faced with the question of whether their tokens have anything left, creating a feedback loop where panic redemptions on L2 put pressure on the unaffected Ethereum supply, potentially forcing Kelp to unwind and re-hold positions to honor withdrawals.
The list of infectious diseases is long and growing.
Aave froze the rsETH market on V3 and V4 within hours, and founder Stani Kulechov confirmed that the vulnerability was an external vulnerability and that Aave’s contracts were not compromised. SparkLend and Fluid froze their rsETH markets.
AAVE fell about 10% as the market priced in potential bad debt.
Lido Finance has suspended further deposits into its EarnETH product, which carries rsETH exposure, while clarifying that stETH and wstETH are not affected and that the core Lido staking protocol has nothing to do with the incident.
As a precautionary measure, Ethena has temporarily suspended its LayerZero OFT bridge to the Ethereum mainnet, saying it has no rsETH exposure and that the overcollateralization rate remains above 101%. The stablecoin issuer said the pause will last approximately six hours until the root cause is determined.
Kelp, a product of KernelDAO, acknowledged the incident in its first public X post at 20:10 UTC, nearly three hours after the drain. The protocol said it is conducting an investigation with LayerZero, Unichain, its auditors and external security experts. It did not disclose how the vulnerability bypasses the bridge’s validation logic.
Whether rsETH remains pegged over the weekend depends on how much cross-chain float attempts to redeem for ETH on Ethereum, and whether Kelp can recover any portion of the stolen funds before the Tornado Cash trail disappears.
This hacking attack has had an unusually negative impact on DeFi. Solana-based perpetual protocol Drift was robbed of approximately $285 million in an attack linked to North Korea-linked attackers on April 1, and at least a dozen smaller protocols have been exploited in the weeks since, including CoW Swap, Zerion, Rhea Finance, and Silo Finance.
Kelp’s $292 million loss is now the largest DeFi breach of 2026, surpassing Drift by millions.
