Security Breach at Kelp
A recent security breach has rocked Kelp, a platform specializing in liquid restaking. On Saturday, the platform alerted users to a cyber incident that has severely impacted its rsETH token functionalities. Promptly reacting to detected irregularities in cross-chain operations, the Kelp team halted all smart contract activities across their main network, as well as several Layer-2 networks. They are currently conducting a thorough investigation to gauge the full extent of the incident.
Financial Fallout
Cybersecurity firm Cyvers has estimated the financial fallout from this exploit at approximately $293 million, pinpointing the attack on the rsETH adapter bridge contract—a crucial component responsible for transferring tokens between different blockchain networks. The attacker managed to manipulate this contract, resulting in a rapid outflow of assets.
According to Cyvers, the assailant’s actions were facilitated through an address linked to Tornado Cash, a service noted for obscuring transaction histories. Notably, around $250 million of the loot has reportedly been converted into Ether, prompting alarm within the wider DeFi ecosystem. Associated platforms linked to rsETH are now on high alert, engaging monitoring teams to track the movement of these assets.
Impact on the DeFi Ecosystem
As of now, no recovery of the stolen funds has been reported and Kelp has not provided additional technical specifics regarding the breach.
The repercussions of the attack have created what Cyvers has termed “cross-protocol contagion,” affecting at least nine other cryptocurrency platforms. Many operators rushed to limit their exposure to rsETH, with Aave announcing the suspension of rsETH markets on its V3 and V4 platforms to contain risk and prevent additional financial losses. Cyvers CEO Deddy Lavid remarked that such events underscore the inherent risks associated with the interconnected nature of decentralized finance.
Ongoing Vulnerabilities in Crypto
This incident is part of a worrying trend of crypto platform breaches, with hacking and scam losses accumulating to around $482 million in just the first quarter of 2026. Such breaches diminish user trust and disrupt platform functionality. Additionally, Drift Protocol recently experienced a significant exploit, resulting in a loss of $280 million, further highlighting ongoing vulnerabilities within the decentralized finance sector.
