DeFi users pull $10 billion out of the market as $292 million exploit sparks bank-run optics
A $292 million exploit at KelpDAO set off a broad retreat throughout decentralized finance over the weekend, draining roughly $10 billion throughout the DeFi business and forcing a number of protocols to freeze markets tied to rsETH.
The breach started late Saturday when an attacker drained about 116,500 rsETH from KelpDAO’s cross-chain bridge. The stolen tokens have been value about $292 million at the time, in line with CryptoSlate information.
KelpDAO points rsETH to users who deposit ETH into its liquid restaking system. The platform then deploys these ETH via the restaking platform EigenLayer to generate further yield on high of normal staking returns.
KelpDAO’s loss now stands as the largest DeFi exploit of 2026 in the report, surpassing earlier assaults this 12 months.
How KelpDAO was exploited for $292 million
rsETH circulates throughout the broader market through LayerZero, a cross-chain messaging community that strikes directions and property between blockchains.
Yearn Finance core developer Banteg explained that the exploit hit the route linking Unichain to the Ethereum mainnet.
According to the on-chain analyst, the attacker pushed via a fraudulent message that the system accepted as legitimate, prompting the Ethereum-side adapter to launch pre-funded rsETH reserves.
This route was configured as a one-of-one decentralized verifier community path with out secondary verifiers that would have flagged the transaction.
Banteng acknowledged that the malicious transaction, recognized as nonce 308, was verified and delivered at 17:35 UTC.
Following the assault, the KelpDAO’s emergency multisignature pockets froze the protocol’s core contracts. This blocked two additional makes an attempt that collectively might have eliminated one other roughly $100 million in rsETH.
The preliminary stolen funds have been moved via Tornado Cash, obscuring the path earlier than the protocol’s response might include the injury.
Meanwhile, the drained reserve-backed wrapped rsETH circulated throughout secondary networks, together with Base, Arbitrum, Linea, Blast, Mantle, and Scroll. Once these reserves have been depleted, users holding rsETH off Ethereum confronted rising uncertainty round redemption and backing.
And that stress shortly fed into the relaxation of the market.
Aave takes the heaviest blow
The most extreme aftershock hit Aave, the largest crypto lending platform, the place the attacker allegedly deposited the stolen rsETH as collateral.
During the assault window, Aave’s pricing oracles continued to learn rsETH close to its regular peg, permitting the protocol to problem 106,467 ETH in opposition to the compromised collateral.
That left the platform going through a possible $236 million bad-debt publicity and triggered a rush for the exits.
Data from DeFiLlama confirmed Aave’s complete worth locked dropped from greater than $26 billion to about $20 billion as users withdrew funds.
The drawdown amounted to at least one of the sharpest pullbacks on the platform in latest reminiscence and turned a bridge exploit right into a liquidity occasion for the largest lending venue in DeFi.
On-chain analysts revealed that enormous ETH holders on the DeFi platform accelerated the transfer.
For context, TRON founder Justin Sun reportedly withdrew greater than 65,580 ETH, value about $154 million, in a single transaction.
As these sorts of withdrawals mounted, Aave’s ETH utilization fee reached 100%, leaving all accessible Ether on the platform both borrowed or withdrawn.
Meanwhile, the stress additionally spilled into Aave’s market value. The AAVE governance token fell greater than 18% as merchants priced in the risk of deeper losses.
This was exacerbated by heavy gross sales from massive AAVE wallets. Blockchain analytics platform Lookonchain reported that one entity recognized as smaugvision bought greater than 20,000 AAVE for $2.06 million, whereas one other investor bought the same quantity for $2.05 million. A 3rd whale bought practically 19,700 AAVE in trade for wrapped Bitcoin and ETH.
In response to those points, Aave froze the rsETH markets on each V3 and V4. The platform’s founder Stani Kulechov stated on X:
“rsETH has been frozen on Aave V3 and V4, the asset doesn’t have any borrowing energy as a measure on account of KelpDAO bridge exploit that occurred exterior of Aave. Both Aave V3 and V4 doesn’t have additional publicity to rsETH.”
Contagion spreads throughout DeFi
Apart from Aave, different DeFi protocols additionally skilled vital withdrawals from their platform on account of the assault.
0xngmi, the pseudonymous founder of DeFiLlama, reported that the incident triggered a $10 billion drop throughout the DeFi sector. This contains the $6 billion exodus from Aave.
Notably, information from DeFiLlama present that TVL for DeFi protocols has dropped 10% from round $99 billion on April 18 to $89 billion as of press time.
Meanwhile, the incident has additionally led a number of DeFi platforms to maneuver shortly to scale back their publicity to the embattled rsETH token.
DeFi analyst Ignas flagged eight further DeFi protocols, together with Lido, SparkLend, Fluid, Compound, and Euler, which froze their rsETH lending markets.
He added:
“I suppose LayerZero might be affected too, as rsETH have been bridged from L2s, so I’m wondering if these rsETH on L2s aren’t nugatory proper now.”
Meanwhile, Ethena, the developer of the artificial USDe greenback, briefly suspended its LayerZero bridges as a precaution, whereas stating that it had no publicity to rsETH.
Those strikes mirrored how extensively rsETH had been embedded throughout DeFi as it was deeply utilized in lending markets, vault merchandise, and collateral methods that relied on easy cross-chain transfers and confidence in reserve backing.
As that confidence weakened, protocols moved to ring-fence danger earlier than additional withdrawals or value dislocations might deepen the injury.
The pressure additionally uncovered the velocity at which capital can transfer as soon as collateral high quality comes into query. A bridge exploit at one venue was sufficient to ship shockwaves via a number of markets inside hours, pushing platforms to droop exercise even when their very own contracts had not been straight breached.
Crypto group requires resolution to DeFi bridge hacks
Jonathan Man, the Head of Multi-Strategy Solutions & DeFi Strategies at Bitwise, stated:
“This is one other setback however we are able to bounce again stronger. We as an business must collectively up our sport to ensure we’re constructing the future of finance on strong foundations.”
Meanwhile, the KelpDAO exploit additionally prompted broader dialogue about how lending protocols and token issuers can restrict the injury from hacks focusing on bridged or thinly traded property.
Keone Hon, co-founder of Monad, said pooled lending protocols ought to take into account imposing fee limits on how shortly an asset could be deposited and used as collateral.
Under that mannequin, an asset with a present circulating provide of $100 million and a proper cap of $300 million wouldn’t be allowed to leap straight to the full cap in a single burst. Instead, the provide allowed into the system would rise regularly over a set interval, such as 10 minutes or a number of hours.
Hon stated that strategy would cut the accessible exit paths when an unique asset is exploited, particularly in circumstances involving infinite-mint bugs.
He argued that the dimension of the loss is usually decided much less by the mint itself than by how a lot of the compromised asset could be offloaded into lending venues or different liquid exits earlier than markets react.
In that framework, massive lending protocols change into the most important launch valves as a result of decentralized trade liquidity is usually too restricted to soak up a serious exploit.
He added that asset issuers must also have an curiosity in tighter caps, significantly once they problem receipt tokens with delayed redemption. In these circumstances, the issuer shouldn’t be essentially uncovered to instant redemption stress from an attacker, however nonetheless advantages when downstream exit routes stay constrained.
Hon pointed to the Hyperbridge DOT exploit and the Resolv incident as examples the place losses stayed under extra catastrophic ranges as a result of the accessible paths for exiting the hacked asset have been restricted.
Guy Young, founder of Ethena, endorsed that view and stated issuers ought to take into account including fee limits at the mint and redemption layer, as properly as customized throttles on high of LayerZero’s OFT normal.
The publish DeFi users pull $10 billion out of the market as $292 million exploit sparks bank-run optics appeared first on CryptoSlate.
