BIG STORY: Kelp DAO Suffers $292M Exploit; Aave Freezes rsETH Markets

Liquid restaking protocol @KelpDAO was exploited today for 116,500 rsETH worth about $292 million. The attacker quickly routed the stolen tokens through @aave, Compound V3, and Euler, borrowing more than $236 million in $wETH. The incident began at 17:35 UTC, when the attacker called LayerZero's lzReceive function on the EndpointV2 contract. A forged cross-chain packet allegedly fooled Kelp's bridge into releasing rsETH to wallets that had been pre-funded via Tornado Cash. Investigator @zachxbt flagged the attack shortly before 3 PM ET. Kelp's emergency multisig pause went live at 18:21 UTC, 46 minutes after the initial drain. Two additional attempts at 18:26 and 18:28 UTC reverted; each appeared to target another 40,000 rsETH, roughly $100 million. The stolen 116,500 rsETH equals about 18% of rsETH's circulating supply of roughly 630,000. With rsETH deployed across more than 20 networks, market participants are questioning the backing of wrapped versions on L2s. In response, @aave, SparkLend, Fluid, and @upshift_fi froze rsETH markets. Aave founder Stani Kulechov said Aave's contracts were not compromised and that rsETH now has "no borrowing power." Aave's Umbrella backstop, which replaced the legacy Safety Module in late 2025, is facing its first major real-world stress test. Elsewhere, @LidoFinance paused earnETH deposits. @ethena_labs paused its LayerZero OFT bridges for about six hours as a precaution despite reporting no rsETH exposure. $AAVE fell roughly 10% on the news. The exploit surpasses the April 1 @DriftProtocol hack ($285 million, linked to North Korea), making it the largest DeFi exploit of 2026 to date.