A major security breach has shaken the DeFi space after Kelp DAO suffered a massive exploit involving its rsETH token. The attack, estimated at around $292 million, is believed to be linked to a vulnerability in LayerZero. The attacker managed to drain approximately 116,500 rsETH by exploiting a function call within the protocol’s bridge system, triggering unauthorized transfers to a controlled wallet. The operation appeared highly coordinated, with prior funding routed through Tornado Cash to obscure transaction origins.
The breach occurred across multiple networks, including Ethereum and Arbitrum, highlighting the growing risks associated with cross-chain infrastructure. Blockchain investigator ZachXBT was among the first to flag the incident, estimating losses in excess of $280 million. The exploit targeted Kelp DAO’s bridge mechanism, specifically through a call to the “lzReceive” function, which allowed the attacker to bypass safeguards and release funds
In response, Kelp DAO acted quickly by pausing its protocol using an emergency multisig. Critical systems—including deposit pools, withdrawal modules, and the rsETH token contract—were temporarily shut down to prevent further damage. This swift intervention proved crucial, as two additional exploit attempts shortly after the initial breach were successfully blocked. Without this action, total losses could have escalated close to $400 million.
The impact extended beyond Kelp DAO, sending shockwaves through the broader DeFi ecosystem. Aave responded by freezing rsETH markets on its V3 and V4 deployments due to concerns over potential bad debt exposure. While Aave confirmed that its own smart contracts were not compromised, the platform is now assessing risks tied to rsETH-backed loans and may activate safety mechanisms if necessary.
This incident has reignited concerns over the security of cross-chain bridges, particularly those enabling omnichain token transfers. With rsETH spanning more than 20 networks, the exploit underscores how vulnerabilities in one component can cascade across multiple ecosystems. It also marks the second major issue for Kelp DAO within a year, raising questions about its long-term reliability and risk management practices.
As investigations continue, attention is focused on identifying the root cause and exploring recovery options. The scale of the exploit highlights a persistent challenge in decentralized finance: balancing interoperability with robust security. For users and protocols interacting with rsETH, the situation remains uncertain, reinforcing the importance of caution in increasingly complex cross-chain environments.
