Kelp DAO Bridge Drained: $292M rsETH Stolen via LayerZero Exploit
A cross-chain bridge belonging to liquid restaking protocol Kelp DAO was drained of 116,500 rsETH ($292M) after an attacker manipulated LayerZero messaging. The stolen tokens were deposited into Aave as collateral, with $190M borrowed against them, exposing the lending protocol to severe potential bad debt.
Quick Take
Attacker drained 116,500 rsETH ($292M) from Kelp DAO’s LayerZero bridge.
Two follow‑up attempts for 40,000 rsETH each were reverted after contract pause.
Stolen rsETH deposited into Aave; $190M borrowed in ETH and related assets.
Aave froze rsETH markets; bad debt could reach $124M if depegging occurs.
Market Impact Analysis
BearishMajor exploit draining nearly $300M triggers fear, potential liquidation cascades in Aave, and damages confidence in cross‑chain bridges and liquid restaking.
Speculation Analysis
Key Takeaways
- A $292M exploit drained 116,500 rsETH—18% of circulating supply—from Kelp DAO’s LayerZero bridge via message forgery.
- Attacker immediately deposited stolen tokens into Aave, borrowing $190M in ETH and related assets across two chains.
- Kelp paused contracts 46 minutes later, but the attack exposes systemic cross-chain messaging vulnerabilities.
- Aave faces up to $124M in bad debt if rsETH depegs from expected loss socialization.
What Happened
An attacker exploited Kelp DAO’s cross-chain bridge, draining 116,500 rsETH worth $292 million by tricking LayerZero’s messaging layer. The bridge, used to back rsETH on over 20 blockchains, released the tokens after receiving a falsified transfer instruction. Within minutes, the attacker deposited the haul into Aave as collateral, borrowing $190 million in ETH and stablecoins on Ethereum and Arbitrum. Kelp’s emergency pauser multisig froze the protocol 46 minutes after the initial drain, foiling two subsequent attempts that each targeted another 40,000 rsETH.
The Numbers
The stolen 116,500 rsETH accounts for 18% of the token’s 630,000 circulating supply, valuing the loss at $292 million. The attacker borrowed $190 million against the collateral, immediately converting it to other assets. Two blocked follow-up attacks attempted to siphon an additional $100 million each. If Kelp socializes the shortfall across rsETH holders, a 15% depeg would leave Aave lenders facing $124 million in unrecoverable debt, according to on-chain analysts.
Why It Happened
No keys were compromised; the exploit manipulated the trust model itself. Kelp’s bridge relied on LayerZero to relay messages between chains, but it failed to independently verify that the originating chain actually authored the instruction. The attacker forged a message that appeared valid, causing the bridge to release assets as if a legitimate cross-chain burn had occurred. This highlights a dangerous design assumption—that relayed data is inherently trustworthy—and mirrors recent attacks on cross-chain infrastructure, including those tied to North Korea-linked groups.
Broader Impact
The incident shakes the liquid restaking sector, which has grown to over $15 billion in total value locked. Aave’s rapid market freeze limited immediate contagion, but the exposure underscores how restaking tokens can become systemic risk vectors in DeFi lending. Regulatory and security scrutiny on bridge architectures will likely intensify, and protocols may accelerate plans for decentralized validation layers. It also confirms that sophisticated attackers are now targeting protocol logic, not just code flaws.
What to Watch Next
- Kelp DAO’s loss remediation plan—whether the team covers the shortfall or imposes a haircut on rsETH holders—will determine Aave’s final bad debt figure.
- Aave governance may propose emergency parameter changes for restaking tokens, setting industry-wide risk precedents.
- Expect LayerZero and similar cross-chain protocols to announce hardened message verification, possibly incorporating zk-proofs or dual attestation.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
