Focus keyword: KelpDAO hack DeFi exploit 2026 Meta description: The $293M KelpDAO exploit – 2026’s biggest DeFi hack – reveals how bridges, governance, and operational security have become more dangerous than smart contract code. Category: DeFi News (17) Tags: KelpDAO, DeFi hack, exploit, LayerZero, liquid restaking, rsETH, DeFi security
The $293 million KelpDAO exploit has become the defining security event of 2026 in decentralised finance – not because of its size alone, but because of what it revealed about where DeFi’s vulnerabilities actually live. The hack wasn’t a smart contract bug. It was something harder to fix.
KelpDAO is a liquid restaking protocol built on Ethereum that issues rsETH, a token representing staked ETH positions. At its peak, the protocol held hundreds of millions in user deposits. On April 18, 2026, an attacker exploited a vulnerability in its bridge infrastructure to drain roughly $293.7 million from the protocol.
How the Attack Worked
The exploit targeted KelpDAO’s bridge contract – the component that allows assets to move between Ethereum mainnet and other networks – rather than the core liquid restaking logic. According to blockchain security firm Cyvers, which detected the breach in its early stages, the attacker gained unauthorised control over the bridge contract and used it to siphon funds from the rsETH reserves.
Galaxy Research, which produced one of the most detailed post-mortems on the incident, described the attack as exploiting “risks in DeFi lending, bridging, and multisig security.” The attacker was able to compromise a shared infrastructure dependency – LayerZero, the cross-chain messaging protocol – to manipulate how the bridge contract processed messages.
CryptoPotato’s analysis confirmed: “The attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token, rsETH.”
The Infrastructure Attack Surface
Traditional smart contract audits focus on the logic of a protocol’s own code. KelpDAO’s core restaking contracts had been audited and weren’t the point of failure.
Instead, the exploit used the protocol’s reliance on third-party bridging infrastructure. Modern DeFi protocols are deeply interconnected – they depend on price oracles, cross-chain bridges, external liquidation bots, and shared governance contracts. Each dependency is a potential attack surface.
As CoinDesk’s analysis of the incident noted, the $293 million hack “exposed how modern DeFi’s biggest vulnerabilities increasingly come from infrastructure, governance and operational security and not smart contract bugs, as protocols become deeply interconnected through bridges, third-party software and shared dependencies.”
Multisig and Governance Failures
Beyond the bridge vulnerability, the incident also exposed weaknesses in KelpDAO’s incident response infrastructure. The protocol’s multisig setup – the system that requires multiple keyholders to approve major contract changes – didn’t respond quickly enough to limit the damage once the attack was underway.
DeFi protocols that hold hundreds of millions in user assets are now being expected to maintain near-instant emergency response capabilities, including monitored multisig wallets with dedicated signers available around the clock. The industry standard for security infrastructure hasn’t kept pace with the asset values being protected.
The Restaking Risk Premium
The KelpDAO exploit specifically targeted liquid restaking, an area of DeFi that has grown rapidly since Ethereum’s expansion of restaking infrastructure through EigenLayer and related protocols. Liquid restaking tokens like rsETH allow users to earn additional yield on already-staked ETH by lending out the economic security of their stake.
The complexity of these instruments – ETH → staked ETH → liquid restaking token → bridged across chains → used as collateral in lending protocols – creates a chain of trust dependencies. Break any link, and the losses cascade.
The KelpDAO attack is being studied as a case study in what security researchers call “composability risk” – the danger that DeFi protocols build on each other’s infrastructure without fully accounting for inherited attack surfaces.
Recovery and Response
KelpDAO’s team responded with a freeze on the bridge contracts and worked with security researchers and exchanges to identify the attacker’s wallet addresses. Some recovery efforts are ongoing, but the majority of the $293 million hasn’t been returned.
The protocol has since undergone a complete security review and is working on a restructured bridge architecture with independent audits of every external dependency. Full protocol resumption is pending the outcome of that review.
Industry Implications
The DeFi security field in 2026 is pushing protocols toward more conservative infrastructure choices: fewer bridge dependencies, simpler composability stacks, higher multisig thresholds, and mandatory real-time monitoring.
The KelpDAO hack has also renewed calls for on-chain insurance products that could cover bridge and infrastructure failures – a category that existing DeFi insurance protocols have struggled to adequately price because the tail risks are so difficult to model.
For users, the incident is a reminder that audited smart contract code is but not sufficient for security. The risks now live in the spaces between protocols.
FAQ
What was the KelpDAO hack? On April 18, 2026, an attacker exploited KelpDAO’s bridge contract – connected to the LayerZero cross-chain messaging protocol – to drain approximately $293 million in rsETH (liquid restaking ETH). it’s the largest DeFi exploit of 2026 to date.
Was the KelpDAO smart contract code audited? Yes. The core restaking contracts had been audited and weren’t the point of failure. The vulnerability was in the bridge infrastructure, which relied on a third-party cross-chain messaging protocol (LayerZero), highlighting that audited code isn’t sufficient protection against infrastructure-level attacks.
Has KelpDAO recovered the stolen funds? Most of the $293 million hasn’t been recovered as of May 2026. The protocol has frozen bridge operations and is working with security researchers. Recovery efforts are ongoing but haven’t produced significant returns of stolen assets.
Sources: CoinDesk, Galaxy Research, Cyvers, CryptoPotato, DEXTools News, PYMNTS.com
