The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit
Multiple on-chain safety corporations and business sleuths reported late on Saturday that the liquid restaking protocol KelpDAO had fallen sufferer to a serious hack through which the perpetrators drained almost $300 million.
The group behind the undertaking confirmed the incident hours later, and added that they’ve partnered with LayerZero, Unichain, their auditors, and ‘prime safety specialists’ to resolve the problem.
The Biggest Hack of 2026
Cyvers was amongst the safety assets that detected the breach in its preliminary part and later supplied a extra detailed rationalization of what occurred. According to a publish they shared with CryptoPotato, the attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token, rsETH.
The unhealthy actor moved rapidly after taking maintain of the funds and swapped them into ETH. They unfold them throughout Ethereum and Arbitrum, with the on-chain exercise displaying that the attacker break up the funds into two batches: $178 million on the former and $72 million on the layer-2 chain.
The stolen rsETH was deposited into lending protocols like Aave V3, Compound V3, and Euler. By utilizing the illicitly obtained funds, they borrowed substantial quantities of WETH, creating greater than $236 million in debt.
Cyvers defined that an attacker can find yourself creating unbacked rsETH after which use it to borrow actual property like ETH, which is “precisely how this type of exploit blows up so quick.” The safety specialists added that this instantly grew to become a cross-protocol contagion occasion, not only a single protocol exploit. Such property which might be deeply built-in throughout lending, vaults, and liquidity protocols are significantly prone to comparable incidents, and one failure “doesn’t keep contained.”
“It spreads immediately, creating unhealthy debt, forcing market freezes, and impacting a number of platforms without delay.”
Aave V3 froze rsETH markets, SparkLend froze publicity, whereas Fluid, Compound, Euler, and others moved to comprise danger. Cyvers stated that at the least 9 protocols had been affected.
KelpDAO Talks
The undertaking’s official X account confirmed the breach after they’d “recognized suspicious cross-chain exercise involving rsETH.” They stated they paused these contracts throughout the mainnet and a number of other layer-2s as the investigation continued.
Although they’re working with LayerZero, Unichain, auditors, and different safety specialists on the matter, there hasn’t been one other replace in the previous 10 hours as of press time on what’s subsequent and what customers would possibly anticipate.
Earlier right now we recognized suspicious cross-chain exercise involving rsETH. We have paused rsETH contracts throughout mainnet and a number of other L2s whereas we examine.
We are working with @LayerZero_Core, @unichain, our auditors and prime safety specialists on RCA.
We will maintain you…
— Kelp (@KelpDAO) April 18, 2026
KelpDAO’s hack grew to become the largest in the business to date in 2026, surpassing the earlier ‘record-holder’, Drift Protocol, whose exploit was for $280 million.
The publish The Biggest Hack of 2026: What We Know About the $294M KelpDAO Exploit appeared first on CryptoPotato.
