A number of on-chain safety firms and business sleuths reported late on Saturday that the liquid restaking protocol KelpDAO had fallen sufferer to a serious hack by which the perpetrators drained almost $300 million.
The crew behind the venture confirmed the incident hours later, and added that they’ve partnered with LayerZero, Unichain, their auditors, and ‘prime safety specialists’ to resolve the difficulty.
The Largest Hack of 2026
Cyvers was among the many safety assets that detected the breach in its preliminary part and later offered a extra detailed clarification of what occurred. In response to a publish they shared with CryptoPotato, the attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token, rsETH.
The unhealthy actor moved shortly after taking maintain of the funds and swapped them into ETH. They unfold them throughout Ethereum and Arbitrum, with the on-chain exercise displaying that the attacker break up the funds into two batches: $178 million on the previous and $72 million on the layer-2 chain.
The stolen rsETH was deposited into lending protocols like Aave V3, Compound V3, and Euler. By utilizing the illicitly obtained funds, they borrowed substantial quantities of WETH, creating greater than $236 million in debt.
Cyvers defined that an attacker can find yourself creating unbacked rsETH after which use it to borrow actual property like ETH, which is “precisely how this type of exploit blows up so quick.” The safety specialists added that this instantly turned a cross-protocol contagion occasion, not only a single protocol exploit. Such property which are deeply built-in throughout lending, vaults, and liquidity protocols are notably prone to related incidents, and one failure “doesn’t keep contained.”
“It spreads immediately, creating unhealthy debt, forcing market freezes, and impacting a number of platforms without delay.”
Aave V3 froze rsETH markets, SparkLend froze publicity, whereas Fluid, Compound, Euler, and others moved to include threat. Cyvers stated that not less than 9 protocols have been affected.
KelpDAO Talks
The venture’s official X account confirmed the breach after they’d “recognized suspicious cross-chain exercise involving rsETH.” They stated they paused these contracts throughout the mainnet and a number of other layer-2s because the investigation continued.
Though they’re working with LayerZero, Unichain, auditors, and different safety specialists on the matter, there hasn’t been one other replace prior to now 10 hours as of press time on what’s subsequent and what customers may anticipate.
Earlier at present we recognized suspicious cross-chain exercise involving rsETH. We’ve got paused rsETH contracts throughout mainnet and a number of other L2s whereas we examine.
We’re working with @LayerZero_Core, @unichain, our auditors and prime safety specialists on RCA.
We are going to preserve you…
— Kelp (@KelpDAO) April 18, 2026
KelpDAO’s hack turned the most important within the business up to now in 2026, surpassing the earlier ‘record-holder’, Drift Protocol, whose exploit was for $280 million.
The publish The Largest Hack of 2026: What We Know Concerning the $294M KelpDAO Exploit appeared first on CryptoPotato.