Unknown individuals withdrew $292 million from the Kelp crypto protocol., 2026/04/19 09:55:01

On Saturday, April 18, unknown individuals targeted Kelp, one of the largest liquid restaking protocols within the EigenLayer ecosystem, which has a total locked value exceeding $1 billion. The attackers extracted 116,500 rsETH valued at $292 million, representing approximately 18%.

The Kelp cross-chain bridge, built on LayerZero, was highlighted by blockchain researcher ZachXBT. According to Cyvers, the perpetrators received preliminary funding via Tornado Cash roughly ten hours prior to the attack.

The hackers aimed at the Omnichain Fungible Token (OFT) adapter on Ethereum—a contract that holds a reserve of rsETH, backing each wrapped version of the token across more than 20 Layer-2 chains, including Arbitrum, Base, Blast, Linea, and Mantle. Under normal circumstances, the system operates as follows: a user burns wrapped rsETH in one network (for instance, in Arbitrum), LayerZero transmits a cryptographically verified message to Ethereum, and the Kelp adapter verifies the transaction and releases an equivalent amount of actual rsETH from the reserve.

During the attack, the verification stage malfunctioned: the attackers managed to deceive the LayerZero cross-chain layer, leading the system to believe that a valid instruction had been received from another network. Consequently, the Kelp bridge released 116,500 rsETH to an address controlled by the hackers—without burning tokens from the other side or making a deposit. 

Kelp responded to the attack 46 minutes later by freezing the LRT deposit pool, the withdrawal module, LRTOracle, and the rsETH token contract itself. This action helped prevent the withdrawal of an additional 80,000 rsETH. Had a second wave of the attack been successful, total losses could have reached $391 million. The platform has not yet offered a reward for the return of funds, initiated negotiations with the hacker, or announced a compensation plan.

Six wallets belonging to the attackers, according to ZachXBT, are located on the Ethereum and Arbitrum networks and contain a mix of rsETH, ETH, and WETH. The tokens have not yet been transferred to centralized exchanges or routed through Tornado Cash.

A notable aspect of the hack is that the attackers not only withdrew funds but also utilized them to create substantial debt positions, as reported by The CryptoTimes. Within minutes of the attack, the stolen rsETH was used as collateral on platforms Aave V3, Compound V3, and Euler. Under this collateral, the hackers borrowed approximately 74,000 ETH and WETH, totaling over $236 million. On Aave alone, the perpetrator borrowed around $120 million in Ether.

The mechanism involved: the hackers used tokens as collateral that they had just stolen. The rsETH contract validated their legitimacy, the oracle appraised them at full value, and for Aave, Compound, and Euler, the funds appeared as legitimate collateral worth $292 million, even though the actual rsETH was already in the hacker’s wallet.

The lending platforms Aave, Compound, and Euler still have outstanding debt positions created by the attackers.

Aave has frozen the rsETH markets on V3 and V4. SparkLend and Fluid have suspended operations with rsETH. Lido Finance has also halted deposits into its vault earnETH, clarifying that stETH and wstETH are unaffected. Ethena temporarily disabled LayerZero bridges between Ethereum and other networks for six hours. 

In light of these events, the price of the AAVE token fell by 18% on Sunday, April 19, while Ether decreased by 2%, and stETH and wstETH experienced a brief drop of 4%.

On April 1, a significant attack occurred on the Drift protocol, during which attackers withdrew over $280 million. This hack was linked to North Korean hackers who managed to deceive the protocol’s staff and gain access to their signatures.