KelpDAO LayerZero exploit drains $293M rsETH via cross-chain flaw

The KelpDAO LayerZero exploit marks another high point in Q2 2026 DeFi security losses, with reported industry cyber damage topping $840M and cross-chain bridge failures taking a major share. Attackers drained 116,500 rsETH (about $293M). The breach was not a bug in KelpDAO’s Ethereum staking contracts. Instead, the KelpDAO LayerZero exploit abused a single point of trust in LayerZero’s Omnichain Fungible Token (OFT) cross-chain message routing. According to the latest account, the hackers injected fraudulent state instructions. Smart contracts executed normally, but processed a fabricated message that falsely confirmed an off-chain asset deposit. That triggered unauthorized release and minting of ~18% of the rsETH supply, diluting the pool and draining underlying liquidity. Initial exploit completion reportedly took 1m48s, and funds consolidated into the master hacker wallet within about two hours. Impact on DeFi markets: the stolen rsETH was quickly posted as collateral on secondary lending venues, enabling borrowers to pull roughly $236M in USDC/USDT before risk oracles reacted. Aave appears among the most exposed protocols in earlier reporting, and the later details highlight rapid downstream leverage pressure rather than a direct protocol hack. Arbitrum Security Council later froze 30,766 ETH (over $71M) tied to the incident. Remaining funds were routed through THORChain to BTC and partially laundered via Tornado Cash and other privacy-oriented cross-chain paths. Trader takeaway: Treat the KelpDAO LayerZero exploit as composability contagion. For traders, this raises near-term tail risk for tokenized assets and bridge-dependent flows, while increasing the likelihood of tighter collateral rules and more conservative lending/approval practices.