An attacker apparently drained 116,500 rsETH from Kelp DAO’s LayerZero-powered cross-chain bridge on Saturday, according to onchain data. The stolen funds are worth approximately $292 million at current market prices.
The successful drain transaction occurred at 17:35 UTC, when an attacker-controlled wallet called lzReceive on LayerZero’s EndpointV2 contract. The call triggered Kelp’s bridge contract to release 116,500 rsETH to a separate attacker address, per the transaction’s event logs.
The attacker wallet had been funded roughly 10 hours prior through Tornado Cash’s 1 ETH pool, a common obfuscation technique in DeFi exploits.
“KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,” blockchain sleuth ZachXBT wrote in a Telegram message. “The attack addresses were funded via Tornado Cash.”
Kelp DAO, a product under the KernelDAO umbrella, responded about 46 minutes later. At 18:21 UTC, the protocol’s emergency pauser multisig executed pauseAll on Kelp’s liquid restaking token configuration contract, cascading Paused events across the protocol’s core components, including the LRT Deposit Pool, Withdrawal contract, LRT Oracle and the rsETH token itself.
“Earlier today we identified suspicious cross-chain activity involving rsETH,” Kelp wrote on X at 20:10 UTC in its first public acknowledgement of the incident. “We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with [LayerZero], [Unichain], our auditors and top security experts on RCA.”
Two subsequent attack attempts from the attacker at 18:26 UTC and 18:28 UTC both reverted, indicating the pause halted further drains. Both reverted transactions carried the same LayerZero packet attempting to drain an additional 40,000 rsETH, worth roughly $100 million at current prices. Had the attempts succeeded, Kelp’s total losses would have reached approximately $391 million.
LayerZero OFT bridge at the center
The exploit appears to have targeted Kelp’s LayerZero OFT (Omnichain Fungible Token) bridge, which enables rsETH to move between networks.
The 116,500 rsETH taken represents roughly 18% of rsETH’s circulating supply, which CoinGecko lists at approximately 630,000 tokens. rsETH is currently deployed on more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle and Scroll, per CoinGecko.
The price of AAVE dropped about 10% following the incident, per The Block’s Aave Price page, amid reports that the lending platform may be saddled with bad debt following the attack.Â
Aave responded to the incident by freezing rsETH markets on Aave V3 and V4 and its team affirmed on X that the exploit was related to rsETH and not Aave’s smart contracts.Â
“We are reviewing information about rsETH borrows on Aave that occurred after the exploit and will share more details as soon as possible,” Aave wrote. “If the protocol accumulates bad debt from this incident, Umbrella assets can be used to offset the deficit.” (Umbrella refers to the protocol’s automated safety module to protect against bad debt.)Â
Aave later updated its post to alter that final line, changing it to, “If the protocol accumulates bad debt from this incident, we’ll explore paths to offset the deficit.”
Second incident in 12 months
The event marks the second security incident regarding rsETH for Kelp in roughly a year.
In April 2025, the protocol paused deposits and withdrawals after a bug in its fee contract caused excess rsETH minting. No user funds were lost in that incident, according to the protocol’s disclosures at the time.
rsETH was trading at approximately $2,500 at time of publication. Kelp and co-founder Amitej Gajjala did not immediately respond to requests for further comment from The Block.Â
Updated at 20:40 UTC with details from Aave’s and Kelp’s statements. This is a developing story.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
