Kelp DAO’s $292M Bridge Exploit Triggers DeFi Contagion Across Nine Protocols

An attacker drained 116,500 rsETH tokens worth approximately $292 million from Kelp DAO’s LayerZero-powered bridge on Saturday, April 18, triggering emergency freezes across at least nine DeFi protocols. The exploit, confirmed by blockchain security firm Cyvers, is the largest single hack of 2026 and it did not stay contained. It never does.

How the Attack Unfolded in 46 Minutes

The breach began at 17:35 UTC. The attacker called LayerZero’s EndpointV2 contract, manipulating Kelp’s cross-chain messaging system into treating fraudulent instructions as legitimate, and the bridge released funds directly to attacker-controlled wallets. Roughly $250 million of the stolen rsETH was then swapped for ETH and distributed across Ethereum and Arbitrum, with the funding wallet traced back to Tornado Cash. Kelp’s emergency pauser multisig froze core contracts at 18:21 UTC, 46 minutes after the initial drain, blocking two follow-up attempts that would have extracted another 40,000 rsETH and pushed total losses toward $391 million.

The attacker deposited stolen rsETH into Aave V3, Compound V3, and Euler as collateral, borrowing substantial amounts of WETH against it and generating more than $236 million in bad debt across those platforms. Cyvers CEO Deddy Lavid described it as a textbook cross-protocol contagion event. Aave froze rsETH markets across both its V3 and V4 deployments. SparkLend, Fluid, and Upshift followed. Kelp’s first public statement arrived at 20:10 UTC, nearly three hours after the attack began.

Market OverviewTop 10 by market cap

1Bitcoin BTC$61,849.00▲0.94%

2Ethereum ETH$1,640.87▲0.08%

3Tether USDT$0.9992▼0.02%

4BNB BNB$591.12▲0.74%

5USDC USDC$0.9999▲0.00%

6XRP XRP$1.12▼1.02%

7Solana SOL$64.81▲0.46%

8TRON TRX$0.3220▲0.27%

9Figure Heloc FIGR_HELOC$1.03▲0.49%

10Dogecoin DOGE$0.0843▼0.26%

Prices via CoinGecko · Updated just now

AAVE Token Takes a 22% Hit as Whales Exit

Markets priced in the bad debt exposure fast. AAVE’s token, which had just days ago been the subject of a landmark revenue-sharing governance vote, peaked near $120 before the exploit and crashed to $92 by Sunday morning, a 22% top-to-bottom decline, and is currently trading at $92.6, down 19.4% over 24 hours. Lookonchain data identified three whales offloading a combined $6 million in AAVE for USDC and ETH during the selloff, accelerating the drawdown. The token has dropped out of the top 50 altcoins by market cap, which now sits just above $1.4 billion. Aave said publicly it would “explore paths to offset the deficit” if bad debt accumulates, which is the kind of careful language protocols use when they don’t yet know how bad the number is.

The stolen 116,500 rsETH represents approximately 18% of the token’s entire circulating supply, with rsETH deployed across more than 20 networks including Base, Arbitrum, Linea, Blast, and Scroll. With the bridge contract’s reserve backing gone, holders on those layer 2 chains now face real questions about redemption. Cointelegraph reported that Cyvers characterised the event as an immediate cross-protocol contagion, not a single-protocol failure. That framing matters. DeFi composability is the product. Shared collateral across twenty chains is also, it turns out, shared catastrophe.

This is 2026’s largest crypto exploit, surpassing the $285 million Drift Protocol hack attributed to North Korean actors on April 1. Combined losses from exploits across more than ten protocols in two weeks have now exceeded $600 million. Kelp has not confirmed a root cause. Sentiment does not wait for root causes.