Crypto News Ethereum Exchanges Ripple

Kelp Restaking Protocol Exploited, $293M Drained

Kelp Restaking Protocol Exploited, $293m Drained
Kelp Restaking Protocol Exploited, $293m Drained

DeFi markets faced another high-profile setback this weekend as Kelp, a liquid restaking protocol, disclosed a cyber attack targeting its rsETH restaking token. The incident prompted an immediate pause of rsETH smart contracts across Kelp’s mainnet and multiple Layer-2 networks as the project investigates potentially hundreds of millions of dollars in losses. Blockchain security firm Cyvers later pegged the damage at about $293 million, signaling a significant hit to users and counterparties tied to the restaking ecosystem.

Kelp stated on X that it detected suspicious cross-chain activity involving rsETH and subsequently halted rsETH contracts on mainnet and several Layer-2s to prevent further damage while the investigation unfolds. Cyvers added that the attacker exploited the rsETH adapter bridge—the software component that manages the rsETH token—allowing the drain of funds from the platform. The firm also noted that the attacker has been actively moving funds, with a substantial portion converted into Ethereum (ETH).

In the wake of the breach, the attacker’s on-chain activity has increasingly relied on a Tornado Cash mixer-funded address. Cyvers reported that roughly $250 million of the stolen funds had already been swapped into ETH, underscoring the challenge of tracing and recovering assets in the DeFi space once they leave the original contract domains.

Key takeaways

  • The Kelp rsETH attack reportedly drained about $293 million, triggering contract pauses across Kelp’s mainnet and several Layer-2 networks as investigators assess the damage.
  • The attacker targeted the rsETH adapter bridge, leveraging cross-chain dynamics that underscore risks inherent to DeFi composability and restaking ecosystems.
  • At least nine protocols with exposure to rsETH reportedly froze activity in response, while Aave moved to suspend rsETH markets on V3 and V4 to contain risk.
  • Approximately $250 million of the stolen funds have been converted to ETH, with the attacker utilizing a Tornado Cash mixer-funded address, complicating on-chain tracing efforts.

Attack details and ecosystem response

According to Kelp, the breach traces to irregular cross-chain activity linked to rsETH, prompting an immediate safety pause to contain potential further loss. The company’s moderation was swift, spanning mainnet and several Layer-2 deployments, as the team works through the incident. While Kelp is conducting its investigation, the broader DeFi community has begun to map the ripple effects beyond a single protocol.

Blockchain security firm Cyvers provided a stark figure for the loss, estimating the total at about $293 million. The firm’s analysis highlights the risk that bridges and adapters—components that enable tokens like rsETH to move across chains—present when vulnerabilities exist in the bridging layer. The incident aligns with a pattern of high-severity exploits aimed at cross-chain and interoperable DeFi primitives, where a single compromised bridge can force widespread disruption across multiple protocols.

In response to the breach, several DeFi platforms publicly paused or limited exposure to rsETH. Notably, Aave—one of the largest DeFi lenders—announced that rsETH markets had been frozen on its V3 and V4 deployments. Cyvers notes that at least nine protocols reportedly had exposure to rsETH and executed precautionary freezes or withdrawal restrictions as a precautionary measure to prevent cascading losses.

Analysts and observers have highlighted a core risk exposed by the incident: the compounding nature of DeFi’s composability. When multiple protocols rely on a shared token or bridge, a vulnerability in one hinge can reverberate across the entire network, forcing sudden risk management actions across an otherwise diversified ecosystem. Cyvers senior leadership emphasized to Cointelegraph that this is precisely the kind of incident that underscores the fragility and complexity of modern DeFi infrastructure when bridges and adapters are compromised.

Contextual backdrop: a string of cybersecurity incidents

The Kelp attack sits within a broader panorama of DeFi hacks observed over the past several months. In late April, Drift Protocol—a decentralized derivatives exchange—suffered a major exploit that drained roughly $280 million from the platform. Drift’s post-mortem described a months-long intrusion, noting the attackers’ alleged infiltration of developer machines and the eventual deployment of malware. The incident traced to a sophisticated operation that reportedly included access gained at a large crypto conference, followed by collaboration with the attackers before the breach unfolded.

Taken together, these events illuminate a persistent security challenge for the nascent DeFi stack: attackers are increasingly targeting the risk-prone layers of cross-chain interoperability and restaking mechanisms, where a single vulnerability can cascade into sizable losses across multiple protocols. Industry participants continue to debate the best path forward—ranging from more stringent bridge audit standards to enhanced multi-party computation (MPC) and formal verification for cross-chain components.

What this means for investors, users, and builders

For users and liquidity providers, the Kelp incident underscores the importance of understanding the specific risk profiles of restaking and cross-chain primitives. Restaking naturally introduces an expanded attack surface: while it offers potential yield enhancements, it also increases reliance on the security of adapter contracts and bridges that connect across layers of the ecosystem. Investors should monitor how protocols respond to such incidents, particularly regarding fund recovery efforts, contingency plans, and the timelines for resuming normal operations.

From a builder’s perspective, the episode highlights several priorities: rigorous security testing of bridge and adapter code, heightened monitoring for cross-chain anomalies, and clearer disclosure frameworks around incident response. The drift toward rapid, publicized pauses—while essential for risk containment—also presses for standardized playbooks so that platforms can coordinate responses without sacrificing user trust.

Regulators and policymakers may also take note of the evolving security landscape, especially as DeFi protocols broaden their engagement with restaking mechanisms and more intricate cross-chain flows. The balance between innovation and resilience will likely shape ongoing discussions around security best practices and capital-adequacy considerations for DeFi incumbents as they scale.

Closing perspective

As the Kelp investigation unfolds, observers will be watching for a clearer accounting of the breach’s root causes, the effectiveness of the emergency pauses, and any progress toward asset recovery. The incident, along with Drift’s earlier breach, reinforces a central theme for the crypto markets: cross-chain and restaking infrastructures demand heightened scrutiny, robust security postures, and coordinated risk management across the ecosystem. Readers should stay tuned for updates on Kelp’s findings, the status of rsETH across major platforms, and any new measures aimed at hardening DeFi’s interconnected layers.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure

The Crypto Breaking News editorial team curates the latest news, updates, and insights from the global cryptocurrency and blockchain industry.

Related Posts