On April 17, the liquid restaking protocol Kelp suffered a hacker attack, resulting in a loss of approximately $293 million.
🚨 $293M EXPLOIT DETECTED: Cyvers AI systems have identified a massive attack on @KelpDAO .
Our platform flagged the breach in real-time, tracking ~$293.7M drained from the protocol’s RSETH Adapter. Currently, ~$250M has already been swapped to $ETH and is held across two… pic.twitter.com/E2bnoZh0Eu
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 18, 2026
According to analysts at CyversAlerts, the attacker exploited a vulnerability in the cross-chain bridge of the rsETH token on the LayerZero platform. At 17:35 UTC, the perpetrator invoked the lzReceive function in the EndpointV2 contract, initiating the transfer of 116,500 rsETH to a personal address.
The funds for the attacker’s wallet were obtained through the crypto mixer Tornado Cash.
The Kelp team responded to the incident approximately 46 minutes later. Upon detecting suspicious activity, an emergency pause mechanism in the rsETH token configuration contract was triggered, causing a cascading halt of other protocol components.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
“We have paused rsETH contracts on the mainnet and several L2s while we conduct an investigation. We are working with [LayerZero], [Unichain], our auditors, and leading security experts on root cause analysis,” project representatives stated.
The DeFi protocol Aave also froze rsETH markets on the V3 and V4 platforms.
After the halt, the attacker made two more attempts to withdraw funds, but the transactions were successfully canceled. In both cases, they attempted to transfer 40,000 rsETH (~$100 million).
This marks the second cybersecurity incident for the Kelp token. In April 2025, the protocol suspended deposits and withdrawals after a fee agreement error led to the excessive creation of rsETH.
According to CoinGecko, the situation did not significantly impact the affected coin’s prices. However, the stolen 116,500 rsETH represents approximately 18% of the total circulating supply.
The attack adversely affected the price of AAVE due to reports of potential issues with non-repayable loans. The asset’s value dropped nearly 20% in a day.
Back on April 1, the DeFi platform Drift Protocol on Solana was subjected to a hacker attack. The perpetrator withdrew at least $280 million.