$292M rsETH exploit exposes cross-chain risks, forcing Kelp shutdown and Aave market freeze amid bad debt concerns.
A major security breach has struck Kelp DAO, leaving the protocol reeling after a large-scale cross-chain exploit. Early on Saturday, an attacker drained a significant portion of its rsETH supply via a suspected LayerZero vulnerability. On-chain data points to a carefully prepared operation involving obfuscation tools and targeted contract calls. Market reactions followed quickly, with ripple effects across related DeFi platforms.
Kelp DAO Freezes Protocol After $292M Cross-Chain Exploit Attempt
Attackers siphoned roughly 116,500 rsETH, valued near $292 million at current prices. Blockchain records show the drain occurred at 17:35 UTC through a call to the “lzReceive” function on LayerZero’s EndpointV2 contract. That call triggered Kelp’s bridge system to release funds directly to an attacker-controlled address.
Funding for the exploit dates back about 10 hours. The attacker used Tornado Cash’s 1-ETH pool, a method often associated with transaction obfuscation. Shortly after the breach, blockchain investigator ZachXBT flagged the incident, estimating losses above $280 million across Ethereum and Arbitrum.
Kelp DAO responded within an hour, during which its emergency multisig executed a “pauseAll” function across key contracts. Systems affected included the LRT Deposit Pool, withdrawal module, oracle, and the rsETH token itself. That move stopped further damage and prevented additional withdrawals.
Two follow-up attempts by the attacker failed. Transactions at 18:26 and 18:28 UTC attempted to drain another 40,000 rsETH, worth about $100 million. Both were rejected due to the protocol’s paused state. Without that intervention, total losses could have climbed near $391 million.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
Kelp later confirmed “suspicious cross-chain activity” in a public statement posted at 20:10 UTC. The team said it paused contracts across the mainnet and multiple Layer 2 networks while investigating. Collaboration is underway with LayerZero, Unichain, auditors, and external security specialists.
Aave Freezes rsETH Markets After Kelp Bridge Exploit Sparks Bad Debt Fears
Focus has turned to Kelp’s Omnichain Fungible Token bridge. That system allows rsETH transfers across networks and appears central to the exploit path. The stolen amount represents roughly 18% of rsETH’s circulating supply, estimated at 630,000 tokens. The asset operates across more than 20 networks, including Arbitrum, Base, and Scroll.
Shockwaves spread to other protocols, especially lending markets. AAVE dropped about 10% following reports that the platform may face exposure to bad debt linked to rsETH positions. In response, Aave froze rsETH markets on both V3 and V4 deployments.
The rsETH markets on Aave V3 and Aave V4 have been frozen. Aave’s contracts have not been exploited and this is an exploit related to rsETH.
The freeze follows an exploit of the Kelp DAO rsETH bridge. Freezing the rsETH markets prevents new deposits and borrowing against rsETH…
— Aave (@aave) April 18, 2026
Aave clarified that its smart contracts were not compromised. Instead, the issue stems from rsETH itself. The team is now reviewing the borrow activity tied to the exploit. Initial statements referenced potential use of the Umbrella safety module, though later updates softened that stance. Aave now says it will review options if losses materialize.
Repeat Incident Raises Alarm Over Kelp DAO’s Security and Cross-Chain Risks
Saturday’s incident marks Kelp DAO’s second major disruption within a year. Back in April 2025, a bug in its fee contract caused excess rsETH minting. That event led to a temporary pause but did not result in user fund losses.
Current conditions have rsETH trading near $2,500, reflecting uncertainty about the protocol’s stability. Kelp DAO and co-founder Amitej Gajjala have yet to provide further details beyond initial statements.
Attention now shifts to root cause analysis and potential recovery paths. The scale of the exploit raises broader concerns around cross-chain bridge security. As investigations continue, both users and protocols linked to rsETH face heightened risk and ongoing uncertainty.