The liquid restaking protocol KelpDAO suffered a major exploit late Saturday, resulting in the theft of approximately $293.7 million. Security firms reported the attacker exploited the protocol’s bridge, drained its rsETH token, and quickly swapped the funds into ETH, spreading them across Ethereum and Arbitrum. This incident is now the largest hack of 2026, exceeding a previous $280 million exploit. The KelpDAO team confirmed the breach and stated they are investigating with partners.
Multiple on-chain security companies reported that KelpDAO fell victim to a major hack draining nearly $300 million. The team behind the project confirmed the incident hours later.
According to details shared by security experts, the attacker exploited the protocol’s bridge contract. They siphoned roughly $293.7 million from its liquid restaking token, rsETH.
The bad actor moved quickly after taking hold of the funds and swapped them into ETH. They spread them across Ethereum and Arbitrum, with activity showing $178 million on the former and $72 million on the layer-2 chain.
The stolen rsETH was deposited into lending protocols like Aave V3, Compound V3, and Euler. By using the illicitly obtained funds, they borrowed substantial amounts of WETH, creating more than $236 million in debt.
Cyvers explained that an attacker can end up creating unbacked rsETH and then use it to borrow real assets like ETH. The security experts added that this immediately became a cross-protocol contagion event, not just a single protocol exploit.
Such assets that are deeply integrated across lending, vaults, and liquidity protocols are particularly susceptible. One failure “does not stay contained.”
“It spreads instantly, creating bad debt, forcing market freezes, and impacting multiple platforms at once.”
Aave V3 froze rsETH markets, SparkLend froze exposure, while Fluid, Compound, Euler, and others moved to contain risk. At least 9 protocols were reportedly affected.
The project’s official X account confirmed the breach after they had “identified suspicious cross-chain activity involving rsETH.” They said they paused those contracts across the mainnet and several layer-2s as the investigation continued.
Although they are working with LayerZero, Unichain, auditors, and other security experts, there hadn’t been another update in the past 10 hours as of press time. KelpDAO’s hack became the largest in the industry so far in 2026, surpassing the previous ‘record-holder’, Drift Protocol, whose exploit was for $280 million.
