The attack targeted the LayerZero-based bridge that moves rsETH across blockchain networks, not the core restaking vault contracts where user deposits are held. Kelp DAO's emergency pauser multisig, a group of signers authorized to pause the protocol in a crisis, reportedly froze the affected contracts roughly 46 minutes after the attacker completed the initial drain, with at least two follow-up attempts to exploit the frozen protocol reportedly blocked. These figures have not been independently confirmed by on-chain transaction hash verification at time of publication. As of publication, core contracts remain paused with no confirmed timeline for resumption. Kelp DAO had not issued a confirmed public statement about the exploit at time of publication; readers seeking live updates should monitor @KelpDAO on X.

If the $292 million figure is confirmed, this becomes the largest single DeFi exploit of 2026, surpassing the Drift Protocol hack of April 1, which various reports place between $285 million and $286 million. That attack, which security firm Elliptic has described as suspected DPRK-linked, itself triggered a wave of attacks across at least 12 other protocols in the weeks that followed.

---

How the Attack Likely Worked

rsETH operates as an Omnichain Fungible Token, or OFT, under LayerZero's V2 standard. In this model, tokens are burned on a source blockchain and minted on a destination chain after a verified cross-chain message is sent and accepted. The security of that minting process depends heavily on how developers configure their Decentralized Verifier Networks (DVNs), which are the entities responsible for validating cross-chain messages.

L2Beat's risk assessment of LayerZero V2 OFTs flags a specific vulnerability relevant here: "Funds can be stolen if there is no custom security stack configured and the LayerZero Multisig changes the default security stack maliciously." LayerZero's own documentation acknowledges the tradeoff directly, stating that risk "varies, depending on the technological decisions (OApp configuration and security stack) made by the developers." The precise exploit vector has not been confirmed by Kelp DAO or LayerZero at time of publication.

A collateral risk report by LlamaRisk had already flagged LayerZero as a concentration risk for rsETH, noting that, as of its July 2024 assessment, LayerZero held roughly 16.3 percent of the total rsETH supply, with about 16,468 rsETH bridged to Arbitrum. The same report raised a separate concern: the protocol had no active bug bounty program, which the researchers described as urgent given the scale of assets under management.

---

Protocol Background and Token Metrics

Kelp DAO is the liquid restaking product arm of Kernel DAO, a multi-chain restaking protocol that rebranded from Kelp DAO in late 2024. The protocol was founded by Amitej Gajjala, who holds degrees from IIT Madras and IIM Calcutta, and Dheeraj Borra, who studied at IIT Kharagpur and UT Austin. Both previously co-founded Stader Labs, a Hyderabad-linked liquid staking protocol that managed over $1 billion in staked assets.

Kernel DAO reported more than $2 billion in total value locked (TVL) across its Kelp, Kernel, and Gain products, with integrations spanning over 120 DeFi protocols, more than 10 Layer-2 networks, and over 300,000 unique addresses.

rsETH's market capitalization stood at roughly $1.55 billion before the exploit, with a circulating supply of approximately 650,000 tokens. The per-token price had been approximately $2,543 as recently as April 14, declining to approximately $2,388 in the days immediately before the attack. The token's all-time high was $5,190.

The protocol raised an early token round at a $90 million valuation in 2024.

This was not Kelp DAO's first security incident. In April 2025, the protocol paused deposits and withdrawals after a bug in its fee contract caused excess rsETH minting. The team stated no user funds were lost in that incident. Three separate audits conducted between December 2023 and March 2024 uncovered 37 total issues, including four high-severity findings, all of which were reportedly resolved.

---

Regional Exposure: India, Africa, and Beyond

The exploit carries particular weight in South Asia. Kelp DAO's founding team has strong ties to India's technical and startup communities, giving rsETH meaningful brand recognition among Indian retail crypto users. India ranks consistently in the top five globally for crypto adoption, per Chainalysis adoption indices.

Indian users who held bridged rsETH positions now face a freeze on those assets with no confirmed recovery timeline.

The incident may attract additional scrutiny from Indian regulators, including the Securities and Exchange Board of India and the Financial Intelligence Unit, both of which have been increasing their oversight of DeFi products.

In Africa, where users in Nigeria, Kenya, and South Africa have shown growing interest in restaking yields as a partial hedge against currency depreciation, the freeze creates a more acute problem. With limited local exchange availability, repositioning out of a frozen bridged asset is not a straightforward option.

Bridge exploits of this kind have historically fallen hardest on users in emerging markets, where limited local exchange options reduce liquidity alternatives when cross-chain assets become frozen.

Any rsETH positions used as collateral in DeFi liquidity pools, including on protocols such as Curve and Balancer, also risk cascading liquidations if the token's price depeg continues.

---

A Difficult Year for Cross-Chain Infrastructure

Bridge exploits have accounted for roughly 40 percent of all value ever stolen in Web3, with cumulative losses exceeding $2.8 billion historically.

The 2026 cycle has added fresh pressure: CrossCurve lost $2.9 million in February, IoTeX lost $4.4 million the same month, and now Kelp DAO has recorded what may be the year's worst single incident. Total DeFi losses across all incidents in February 2026 reached approximately $23.63 million, illustrating how much sustained pressure the current cycle has placed on cross-chain infrastructure.

Preliminary on-chain analysis, pending independent transaction hash confirmation, suggests that Kelp DAO's emergency pauser multisig responded within approximately 46 minutes of the initial drain and blocked at least two follow-up exploitation attempts, indicating the protocol's emergency controls may have functioned as designed after the initial breach.

Whether that partial success translates into a credible recovery plan, and what compensation, if any, affected users can expect, will define the protocol's path forward. Users and observers should monitor official communications from @KelpDAO and @LayerZero_Core on X, and can track on-chain developments in real time through Etherscan, Arkham, or Lookonchain for confirmation of the exploit vector and any fund recovery efforts.