Liquid restaking protocol Kelp DAO faced a large-scale attack that caused roughly $292 million in damages and triggered spillover disruption impacting the Aave lending protocol.
The exploit was first flagged by blockchain investigator ZachXBT at approximately 2:52 PM on April 18.
The attacker manipulated LayerZero’s cross-chain messaging layer, the verification system that confirms legitimate instructions between networks, into believing a valid transfer request had arrived from another chain.
The spoofed message triggered the unauthorized transfer of 116,500 rsETH, Kelp DAO’s Liquid Restaking Token, worth about $292 million, on-chain data shows.
The exploited amount represents around 18% of rsETH’s total circulating supply of approximately 630,000 tokens.
Kelp DAO confirmed on X that it had activated emergency safeguards and immediately stopped rsETH deposits and withdrawals, and is coordinating with LayerZero and Unichain.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
Where the stolen rsETH went
The incident escalated as stolen funds were moved into lending protocols including Aave V3, Compound V3, and Euler, where the attacker borrowed large amounts of wrapped ETH against collateral, building more than $236 million in debt positions.
On-chain data shows the attacker consolidated around 74,000 ETH post-exploit, generating over $280 million in bad debt across protocols.
In response, AAV suspended the rsETH markets on both Aave V3 and Aave V4. The project confirmed that its smart contracts were not compromised and that the issue originated from rsETH.
Aave also began reviewing rsETH-backed loans opened after the exploit to evaluate potential exposure. The team said they would explore measures to address any resulting bad debt.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave’s contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
— Aave (@aave) April 18, 2026
SparkLend and Fluid took identical steps, with SparkLend reporting zero rsETH exposure and crediting its conservative risk posture.
Lido Finance paused deposits into its earnETH product, which carries rsETH exposure, while saying its core staking protocol and the stETH token were completely uninvolved.
[Lido Earn Disclosure] The Lido Earn team is aware of the developing situation with the Kelp DAO exploit. earnETH has exposure to rsETH.
As a precaution, further deposits into earnETH have been paused while the situation is assessed alongside relevant partners.
We will share…
— Lido (@LidoFinance) April 18, 2026
Ethena, the stablecoin issuer, temporarily shut down its own LayerZero bridges from the Ethereum mainnet as a precaution despite having no rsETH exposure and maintaining over 101% collateralization.
Out of an abundance of caution we are temporarily pausing our LayerZero OFT bridges from Ethereum mainnet until the root cause of the rsETH incident has been identified.
We expect the pause to last ~6 hours and will provide updates on this temporary pause as we receive them.
To… https://t.co/zqE6EQhJLf
— Ethena (@ethena) April 18, 2026
Aave’s token dropped about 10% on news of the attack, per CoinGecko.
A brutal stretch for DeFi
The attack is the largest DeFi exploit of the year to date and it came weeks after Solana-based perpetuals protocol Drift Protocol was hit in a targeted administrative breach.
On April 1, Drift lost about $285 million in an attack later linked to North Korea-affiliated actors. At least a dozen smaller protocols have been hit in the weeks since, including CoW Swap, Zerion, Rhea Finance, and Silo Finance.
