Kelp Exploit Drains $293M, Exposes DeFi Contagion Risks
The Kelp liquid restaking protocol suffered a $293M exploit via cross-chain bridge flaws, triggering immediate contagion as Aave, Compound, and other protocols froze rsETH markets. Executives urge better isolation and vetting of collateral assets.
Quick Take
Kelp protocol drained of ~$293M in cross-chain exploit
At least nine DeFi protocols affected, rsETH markets frozen
Non-isolated lending blamed for rapid contagion
Curve founder warns cross-chain bridges remain risky
Market Impact Analysis
BearishMajor $293M DeFi exploit causing cross-protocol contagion likely triggers sell pressure and security concerns in the near term.
Speculation Analysis
Key Takeaways
- Kelp liquid restaking protocol lost $293M in a cross-chain bridge exploit on April 18, 2026.
- At least nine DeFi platforms, including Aave and Compound, froze rsETH markets to halt contagion.
- Curve Finance founder Michael Egorov blames vulnerable cross-chain bridges and non-isolated lending.
- The incident pushes DeFi toward stronger cybersecurity and isolated lending models.
What Happened
On Saturday, April 18, 2026, the Kelp liquid restaking protocol was hit by a cyberattack that drained approximately $293 million. The exploit targeted vulnerabilities in the protocol's cross-chain bridging architecture, forcing Kelp to immediately pause smart contracts for its rsETH token. The attack triggered rapid contagion across decentralized finance. Within hours, major lending platforms including Aave, Compound, SparkLend, and Euler froze rsETH markets or took protective measures to prevent further damage. Blockchain security firm Cyvers described the event as a cross-protocol contagion event that exposed systemic flaws in the interconnected DeFi ecosystem.
The Numbers
The attacker made off with $293 million from Kelp, making it one of the largest DeFi exploits to date. At least nine protocols were forced to freeze or mitigate rsETH-related positions to contain the fallout. The incident adds to a grim tally: crypto hacks, exploits, and scams totaled $482 million in Q1 2026 alone. The exploit occurred on a Saturday, leveraging the weekend's typically lower oversight to move funds across chains.
Why It Happened
According to Curve Finance founder Michael Egorov, the root cause of the exploit was a combination of vulnerable cross-chain bridging infrastructure and non-isolated lending models. Cross-chain bridges, while essential for asset transfers, remain a high-risk surface for attacks. Non-isolated lending further amplified the damage: when rsETH was used as collateral across multiple protocols, the failure of one bridge spread losses instantly. Egorov stressed that DeFi teams must rigorously vet collateral assets and avoid cross-chain dependencies unless absolutely necessary.
Broader Impact
The Kelp incident is set to accelerate a push toward stronger cybersecurity practices and isolated lending designs. It follows the $280 million Drift Protocol hack just days earlier, reinforcing a brutal quarter for DeFi security. The industry is likely to see increased scrutiny of cross-chain bridges and collateral standards, possibly driving regulatory attention and a wave of protocol upgrades to prevent similar cascading failures.
What to Watch Next
- Kelp's recovery strategy and whether rsETH functionality can be safely restored.
- Potential structural changes in lending protocols toward isolated pools and stricter collateral requirements.
- Regulatory responses to the surge in cross-chain exploits, possibly targeting bridge security standards.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
