KelpDAO $292M Exploit Triggers $10B DeFi Withdrawal as rsETH Markets Freeze

KelpDAO Suffers $292M Exploit in Largest DeFi Breach of 2026

A $292 million exploit at KelpDAO over the weekend triggered a broad retreat across decentralized finance (DeFi), draining roughly $10 billion from the industry and forcing multiple protocols to freeze markets tied to rsETH. The breach began late Saturday when an attacker drained approximately 116,500 rsETH from KelpDAO’s cross-chain bridge, according to CryptoSlate data. At the time of the theft, the stolen tokens were valued at $292 million.

How KelpDAO’s rsETH System Works

KelpDAO issues rsETH to users who deposit ETH into its liquid restaking system. The platform then deploys deposited ETH through the restaking platform EigenLayer to generate additional yield on top of standard staking returns. The exploit at KelpDAO now stands as the largest DeFi exploit of 2026, surpassing earlier attacks this year.

Exploit Details: Fraudulent Message Bypasses Security

According to Banteg, a core developer at Yearn Finance and on-chain analyst, the exploit targeted the route linking Unichain to the Ethereum mainnet. The attacker pushed through a fraudulent message that the system accepted as valid, prompting the Ethereum-side adapter to release pre-funded rsETH reserves. This route was configured as a one-of-one decentralized verifier network path without secondary verifiers that could have flagged the transaction.

Banteg stated: “The malicious transaction, identified as nonce 308, was verified and delivered at 17:35 UTC.”

Following the attack, KelpDAO’s emergency multisignature wallet froze the protocol’s core contracts. This action blocked two further attempts that together could have removed another roughly $100 million in rsETH.

Stolen Funds Moved Through Tornado Cash

The initial stolen funds were moved through Tornado Cash, a privacy-focused cryptocurrency mixer, obscuring the trail before the protocol’s response could contain the damage. The drained reserve-backed wrapped rsETH then circulated across secondary networks, including Base, Arbitrum, Linea, Blast, Mantle, and Scroll.

Aave Faces $236M Bad-Debt Exposure as rsETH Collateral Crisis Unfolds

The most severe aftershock hit Aave, the largest crypto lending platform, where the attacker allegedly deposited the stolen rsETH as collateral. During the attack window, Aave’s pricing oracles continued to read rsETH near its normal peg, allowing the protocol to issue 106,467 ETH against the compromised collateral. This left the platform facing a potential $236 million bad-debt exposure and triggered a rush for the exits.

Aave’s TVL Plummets by $6B in Hours

Data from DeFiLlama showed Aave’s total value locked (TVL) dropped from more than $26 billion to about $20 billion as users withdrew funds. The drawdown amounted to one of the sharpest pullbacks on the platform in recent memory and turned a bridge exploit into a liquidity event for the largest lending venue in DeFi. On-chain analysts revealed that large ETH holders on the DeFi platform accelerated the move.

Cross-Chain Bridge Vulnerabilities Exposed

The exploit highlighted vulnerabilities in cross-chain messaging networks, particularly those relying on single-verifier pathways. The fraudulent transaction exploited a lack of secondary verification, allowing the attacker to bypass security measures and drain reserves. The incident has raised concerns about the robustness of similar pathways in the DeFi ecosystem.

Market Impact: rsETH Redemption Uncertainty Spreads

Once the stolen reserve-backed wrapped rsETH reserves were depleted, users holding rsETH off Ethereum faced rising uncertainty around redemption and backing. This uncertainty quickly fed into the broader market, exacerbating the selloff and contributing to the $10 billion withdrawal across DeFi.