The Kelp DAO rsETH bridge exploit forced DeFi lenders into emergency defense after attackers drained about $292 million from the protocol’s cross-chain infrastructure. For a liquid restaking token meant to move easily across Ethereum and bridge-connected networks, the breach turned transfer plumbing and collateral risk into the same story within hours.
Key Points
- An Etherscan transaction record shows the attacker drained 116,500 rsETH, valued at $291,714,876.07.
- Kelp DAO said it detected suspicious cross-chain activity involving rsETH and paused rsETH contracts across mainnet and several L2s while it investigated.
- Aave froze rsETH markets on Aave V3 and Aave V4 and said its own contracts were not exploited.
rsETH is Kelp DAO’s liquid restaking token, designed to let users keep exposure to restaked Ether while moving that position through DeFi. The drain transaction on Etherscan shows funds leaving KernelDAO: Bridge for an attacker-linked address after interacting with LayerZero: EndpointV2.
ON-CHAIN DATA
- Transaction hash: 0x1ae232da212c45f35c1525f851e4c41d529bf18af862d9ce9fd40bf709db4222
- Amount: 116,500 rsETH ($291,714,876.07 at transfer time)
- From: KernelDAO: Bridge → 0x8B1b6c9A6DB1304000412dd21Ae6A70a82d60D3b
- Block: #24908285 at 2026-04-18 17:35:35 UTC
What Happened in the Kelp DAO rsETH Bridge Exploit
Incident Summary
Kelp wrote on X, “Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.” That made the initial response a containment action, not a claim that the root cause had already been isolated.
The wording matters because the successful transfer route on Etherscan passed through LayerZero: EndpointV2 before the outflow settled at the destination address. That points readers to bridge messaging as the relevant attack surface, even though Kelp had not published a final root-cause analysis at the time of writing.
The Reported Size of the Drain
The core transaction was confirmed at 17:35:35 UTC on April 18, 2026 in block 24908285, which gives the exploit a clean on-chain timestamp for investigators and DeFi risk desks. The same explorer record is why the drain can be described with precision rather than as an estimated headline figure.
The Block reported that later drain attempts at 18:26 UTC and 18:28 UTC both reverted after Kelp’s emergency pause. That same report said each failed packet targeted another 40,000 rsETH, which sharpens the case that the pause stopped additional damage.
Why Cross-Chain Bridges Remain High-Risk Infrastructure
Because the first message cleared while the later packets failed, the timeline shows how bridge losses are often defined by response latency as much as by exploit design. For AI-driven monitoring stacks that watch DeFi flows, the data point here is that the exploiter moved through a cross-chain message path before lenders had time to fully reprice risk.
That is also why damage can spread beyond the directly hit protocol. The same second-order pattern is visible in other recent coverage, including the Circle class action lawsuit tied to Drift Protocol’s $280M exploit and the broader industry debate in Yang Haipo Says Bitcoin and Crypto Have Reached the Endgame over whether crypto infrastructure has really matured enough for larger pools of collateral.
Why Aave Froze rsETH Markets and What Users Should Watch Next
Aave’s Response
Aave said the rsETH markets on Aave V3 and Aave V4 had been frozen and stressed that its own contracts were not exploited. That framed the move as a risk-control measure for collateral exposure, not evidence that the lending protocol itself had been drained.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave's contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
— Aave (@aave) April 18, 2026
That distinction matters for users because a freeze is a defensive market control, not proof that Aave’s core lending logic failed. It limits fresh activity while the protocol reviews how much rsETH-backed borrowing was left exposed after the bridge shock.
Likely User-Facing Implications
Kelp’s pause across mainnet and several L2s and Aave’s freeze arrived in the same response cycle, which is why bridged liquid restaking assets can become systemically fragile once transferability and collateral value are questioned at the same time. Users now have to track whether positions remain serviceable under constrained liquidity instead of assuming rsETH can circulate normally across venues.
The market lesson is broader than one token. Crypto capital structures can look robust during expansion phases, as stories like Strategy Proposes Semi-Monthly STRC Dividends Plan show, but a bridge failure can still force lenders to privilege containment over growth the moment collateral plumbing breaks.
The Broader DeFi Risk Lesson
No public postmortem had been released at publication time, and Kelp said it was working with LayerZero, Unichain, auditors, and security experts on a root-cause analysis. Until that process is finished, any exact explanation of the exploit method should be treated as unconfirmed.
The next concrete checkpoints are official protocol statements, on-chain movement from the drained wallet, and any reopening conditions Kelp or Aave publish. If the reverted packets described by The Block’s reporting are later confirmed in a full incident review, they will help show whether the emergency pause merely halted losses or identified the exact control point the attacker abused.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
