KelpDAO $292 Million Bridge Exploit: How DeFi's Biggest 2026 Hack Unfolded
A $292 million bridge exploit on KelpDAO on April 18, 2026 sent shockwaves through DeFi, triggering a $13 billion TVL outflow across the ecosystem. Here is what happened, how it was exploited, and what the response revealed about DeFi's composability risk.
Quick answer
A $292 million bridge exploit on KelpDAO on April 18, 2026 sent shockwaves through DeFi, triggering a $13 billion TVL outflow across the ecosystem. Here is what happened, how it was exploited, and what the response revealed about DeFi's composability risk.
What happened: the KelpDAO bridge attack
On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge infrastructure to drain $292 million in liquid restaking tokens — making it the largest DeFi exploit of 2026 and one of the ten largest in the industry's history.
KelpDAO is a liquid restaking protocol built on EigenLayer, where users deposit ETH or stETH and receive rsETH — a liquid token representing restaked positions. The bridge connecting rsETH between Ethereum mainnet and Layer 2 networks contained a flaw in its message verification logic. The attacker forged a series of withdrawal messages that the bridge accepted as valid, allowing them to drain the collateral pool.
The exploit triggered an immediate cascade: rsETH depegged to approximately 0.71 ETH within hours as holders rushed to exit. The panic spread to other restaking tokens — weETH (EtherFi) fell 4%, ezETH (Renzo) fell 6%. Total DeFi TVL dropped from roughly $115 billion to $102 billion within 48 hours as the sector absorbed the shock.
The $13 billion TVL outflow
The $13 billion TVL outflow that followed was not caused solely by the exploit itself — it reflected a broader panic withdrawal from restaking protocols and yield-bearing ETH products as confidence in composable DeFi infrastructure temporarily collapsed.
Aave saw over $2.1 billion in withdrawals as users reduced exposure to ETH-correlated collateral. Lido's stETH briefly traded at a 2.1% discount to ETH as sellers overwhelmed DEX liquidity. Pendle Finance, which offers fixed-yield products on restaking tokens, saw its TVL fall by 28% within a week.
However, blue-chip protocols demonstrated genuine resilience. No additional protocol was exploited during the crisis period. Aave's risk parameters correctly prevented any bad debt despite the collateral price movements. Uniswap's liquidity remained deep. The episode stress-tested DeFi's composability stack and most core infrastructure held.
Governance response and recovery
KelpDAO's emergency governance council moved within six hours of the exploit, pausing the bridge and issuing a post-mortem within 24 hours. A recovery plan was structured using the protocol's treasury and a commitment to reimburse affected users through a phased compensation fund.
The exploit immediately prompted calls across the DeFi ecosystem for standardised bridge security requirements. EigenLayer published updated AVS security guidelines. Restaking protocols across the board paused bridge functionality for audits.
As of late May 2026, approximately $180 million of the $292 million had been traced to wallets linked to a state-affiliated hacking group. On-chain investigators noted transaction patterns consistent with previous North Korea-linked DeFi exploits.
What this means for restaking and DeFi composability
The KelpDAO exploit reignited a fundamental debate about DeFi composability risk — the tendency for losses in one protocol to cascade through interconnected systems. Restaking amplifies this risk by design: the same ETH secures multiple layers simultaneously, meaning distress in one layer can propagate to all others.
Security researchers have noted that bridge contracts remain the most dangerous single point of failure in DeFi. Of the top 20 DeFi exploits in history, over 60% involved cross-chain bridge infrastructure. Despite this, bridges are indispensable to the multi-chain ecosystem — the challenge is making them dramatically more secure.
The incident has accelerated interest in formal verification of bridge contracts, time-locks on large withdrawals, and multi-sig governance with hardware security requirements for emergency councils.
Frequently Asked Questions
What happened with KelpDAO $292 Million Bridge Exploit?
A $292 million bridge exploit on KelpDAO on April 18, 2026 sent shockwaves through DeFi, triggering a $13 billion TVL outflow across the ecosystem. Here is what happened, how it was exploited, and what the response revealed about DeFi's composability risk.
Why does this matter for DeFi?
Events like this affect the broader DeFi ecosystem by influencing market sentiment, regulatory expectations, protocol adoption, and on-chain activity. Understanding the context helps investors and users make more informed decisions about their exposure to decentralised finance protocols.
How does this affect crypto investors?
Significant DeFi developments — whether protocol upgrades, regulatory actions, or market milestones — can shift capital flows, yield opportunities, and risk profiles across the ecosystem. Staying informed through credible sources is essential for risk management in DeFi.
Where can I learn more about KelpDAO?
Our KelpDAO research section covers protocols, ecosystems, and market developments in depth. Visit the relevant protocol or ecosystem page on this site for background context, or browse the DeFi Glossary for plain-English definitions of key terms.
Is this news verified?
Our editorial team verifies key claims against on-chain data, official announcements, and multiple primary sources before publication. We publish corrections promptly when new information changes our understanding.