Back to Home

Kelp Hack: $292M Stolen from Cryptoprotocol

On April 18, 2026, hackers withdrew $292M from the Kelp protocol by exploiting a vulnerability in the LayerZero bridge. The stolen rsETH was used as collateral on lending platforms, creating systemic risk for DeFi. The market reacted with price declines for AAVE and ETH.

Largest hack of 2026: $292M vanished from Kelp in minutes

Predict

Signal based on this article

Signal8/10
Directiondown
Magnitude2-5%
Timeframe1-3d
Confidencemedium

Drivers

The $292M Kelp exploit triggered cascading risk across major DeFi lending protocols that accepted stolen rsETH as collateral, forcing emergency freezes and reducing liquidity. This creates short-term selling pressure on ETH as users de-risk and protocols adjust. Key counter-signal: core Ethereum staking (stETH) remains unaffected, limiting systemic fallout.

View all predictions for this date

Analytical signal only. Not financial advice.

Advertisement 728x90

Hackers Stole $292M from the Kelp Protocol: Market Impact and What’s Next

On Saturday, April 18, 2026, unknown attackers drained nearly $300M from one of the largest crypto protocols—Kelp. This isn’t just a number in a report: hundreds of thousands of users may have lost access to their funds, and decentralized lending platforms now face the risk of mass defaults. Such events reveal how fragile even the “most secure” parts of crypto infrastructure can be.

What Is Kelp—and Why Does It Matter?

Kelp is a liquid restaking protocol that lets users earn yield on their Ether (ETH) without fully locking it up. Instead, it issues a special token, rsETH, which can be used across other applications—for example, to borrow against or trade. It’s like depositing money in a bank but receiving a debit card you can use immediately instead of a passbook.

The protocol operates via a so-called cross-chain bridge—a technology enabling asset transfers between different blockchains (e.g., from Ethereum to Arbitrum). This bridge relies on LayerZero infrastructure, widely regarded as one of the most secure in the industry.

Google AdInline article slot

How the Attack Unfolded

The attackers did not exploit a vulnerability in Kelp’s core code. Instead, they deceived the bridge’s verification system. Imagine sending a package from Moscow to Saint Petersburg, where the courier service requires delivery confirmation. The hackers forged that confirmation—and the system automatically released the goods, even though the package was never shipped.

Specifically: they tricked the bridge into believing someone had “burned” rsETH tokens on the Arbitrum network (a step that normally unlocks equivalent rsETH on Ethereum). In reality, no burning occurred. As a result, 116,500 rsETH—worth $292M—was drained from Kelp’s reserves.

Notably, prior to the attack, the hackers acquired initial capital via Tornado Cash, an anonymizing transaction service. This allowed them to pay gas fees and execute a complex sequence of operations.

Google AdInline article slot

Stolen Funds Were Immediately Used as Collateral for New Loans

Most alarmingly, the hackers didn’t simply hide the stolen assets. They instantly deployed rsETH as collateral on popular lending platforms:

  • Aave V3 — borrowed ~$120M in ETH;
  • Compound V3 and Euler — borrowed another ~$116M;
  • Total borrowed value exceeded $236M.

These platforms had no way of knowing the collateral was stolen: oracles (specialized services that price assets) confirmed rsETH’s value, and smart contracts executed standard logic. Now Aave, Compound, and others risk losing hundreds of millions if the hackers fail to repay—yet they have zero incentive to do so.

Ecosystem Response

Forty-six minutes after the attack, the Kelp team froze key contracts, preventing an additional $100M from being withdrawn. But the fallout had already spread:

Google AdInline article slot
  • Aave paused all rsETH-related operations;
  • SparkLend and Fluid also disabled support for the token;
  • Lido Finance temporarily suspended its vault earnETH (though its core tokens stETH and wstETH remain unaffected);
  • Ethena disabled its LayerZero bridges for six hours.

Markets reacted instantly: AAVE dropped 18%, ETH fell 2%, and stETH briefly dipped 4%.

Key Takeaways

  • The attack targeted not code vulnerabilities—but the logic of cross-chain interoperability, representing a new threat tier for DeFi.
  • Stolen assets were weaponized to create leveraged debt positions, introducing systemic risk across lending protocols.
  • LayerZero—despite its reputation—proved vulnerable to manipulation of attestation messages.
  • Kelp prevented a second wave of attacks—but has yet to announce compensation plans.
  • rsETH remains in circulation—but trust in it has been severely eroded.

What This Means for Everyday Users

If you hold cryptocurrency in a self-custodied wallet, your assets are safe. But if you use DeFi applications—borrowing, staking, or trading through protocols—events like this can impact your asset valuations or service availability. For instance, borrowing rates may spike, and certain tokens may temporarily lose value. The core lesson: even “battle-tested” protocols rely on intricate interdependencies, and a single point of failure can trigger a cascade effect.

— Editorial Team

Advertisement 728x90

Read Next

Partner News