The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit
TL;DR
KelpDAO suffered a major hack, losing nearly $300 million from its liquid restaking protocol. The team is collaborating with security experts to address the breach.
Key points
- KelpDAO lost nearly $300 million in a hack
- The breach was detected by multiple security companies
- Funds were siphoned from the liquid restaking token, rsETH
- The attacker split the stolen funds into two batches
- KelpDAO is working with security experts to address the issue
Mentioned in this story
Multiple on-chain security companies and industry sleuths reported late on Saturday that the liquid restaking protocol KelpDAO had fallen victim to a major hack in which the perpetrators drained nearly $300 million.
The team behind the project confirmed the incident hours later, and added that they have partnered with LayerZero, Unichain, their auditors, and ‘top security experts’ to resolve the issue.
The Biggest Hack of 2026
Cyvers was among the security resources that detected the breach in its initial phase and later provided a more detailed explanation of what happened. According to a post they shared with CryptoPotato, the attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token, rsETH.
The bad actor moved quickly after taking hold of the funds and swapped them into ETH. They spread them across Ethereum and Arbitrum, with the on-chain activity showing that the attacker split the funds into two batches: $178 million on the former and $72 million on the layer-2 chain.
The stolen rsETH was deposited into lending protocols like Aave V3, Compound V3, and Euler. By using the illicitly obtained funds, they borrowed substantial amounts of WETH, creating more than $236 million in debt.
Cyvers explained that an attacker can end up creating unbacked rsETH and then use it to borrow real assets like ETH, which is “exactly how this kind of exploit blows up so fast.” The security experts added that this immediately became a cross-protocol contagion event, not just a single protocol exploit. Such assets that are deeply integrated across lending, vaults, and liquidity protocols are particularly susceptible to similar incidents, and one failure “does not stay contained.”
“It spreads instantly, creating bad debt, forcing market freezes, and impacting multiple platforms at once.”
Aave V3 froze rsETH markets, SparkLend froze exposure, while Fluid, Compound, Euler, and others moved to contain risk. Cyvers said that at least 9 protocols were affected.
KelpDAO Talks
The project’s official X account confirmed the breach after they had “identified suspicious cross-chain activity involving rsETH.” They said they paused those contracts across the mainnet and several layer-2s as the investigation continued.
Although they are working with LayerZero, Unichain, auditors, and other security experts on the matter, there hasn’t been another update in the past 10 hours as of press time on what’s next and what users might expect.
Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.
We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.
We will keep you…
— Kelp (@KelpDAO) April 18, 2026
KelpDAO’s hack became the largest in the industry so far in 2026, surpassing the previous ‘record-holder’, Drift Protocol, whose exploit was for $280 million.
Q&A
What happened in the KelpDAO hack of 2026?
KelpDAO was hacked, resulting in the loss of approximately $293.7 million from its liquid restaking protocol.
How did the attacker exploit KelpDAO's protocol?
The attacker exploited the protocol's bridge contract to siphon funds, quickly converting them into ETH and distributing them across Ethereum and Arbitrum.
What steps is KelpDAO taking after the hack?
KelpDAO has partnered with LayerZero, Unichain, and top security experts to resolve the issue and investigate the breach.
