$BTC $ETH
The DeFi space just took another heavy hit. An attacker drained roughly $292 million worth of rsETH from Kelp DAO’s LayerZero-powered bridge over the weekend making it the largest DeFi exploit of 2026 so far.
Kelp DAO is a liquid restaking protocol that lets users stake ETH via EigenLayer and receive rsETH as a yield-bearing token. The exploited bridge was responsible for backing wrapped rsETH versions across more than 20 Layer 2 networks.
According to Ledger CTO Charles Guillemet and Curve founder Michael Egorov, the attacker appears to have exploited a single-signer setup in the bridge’s verification process. This allowed them to mint large amounts of unbacked rsETH, which were then immediately used as collateral on lending protocols primarily Aave to borrow real ETH.
The fallout spread quickly. Aave, SparkLend, and Fluid froze their rsETH markets. Aave saw around $6 billion in assets pulled out as users rushed to withdraw, and AAVE token dropped about 15% in 24 hours.
This incident comes just weeks after the $285M Drift exploit, reinforcing concerns that 2026 could become the worst year for DeFi hacks. As protocols become more interconnected, a single weak link like a bridge relying on one validator can create widespread contagion and bad debt across lending platforms.
Ledger’s Guillemet warned that trust in DeFi is being eroded by these repeated events. Egorov added that while crypto is a harsh environment, the industry tends to learn and become stronger after each incident.