The scale of the theft is staggering. On April 18, an attacker drained 116,500 rsETH, worth about $292 million, from Kelp DAO's bridge. That represents roughly 18% of rsETH's circulating supply, making it the largest DeFi hack of 2026 so far. The immediate price impact was severe, with the token's value collapsing as trust evaporated.
The stolen funds didn't just vanish; they flowed directly into lending protocols, creating a massive liquidity crunch. The attacker moved the collateral into venues like Aave, Compound, and Euler, building more than $236 million in debt positions. This activity triggered protocol freezes as risk containment measures. Aave, for instance, froze rsETH markets on both its V3 and V4 platforms, while SparkLend and Fluid took similar steps.
The cascading effect extended beyond the initial lending venues. The attack created over $280 million in bad debt across protocols, forcing a broader ecosystem response. Lido Finance paused deposits into its earnETH product due to rsETH exposure, and Ethena temporarily paused its own LayerZero OFT bridges as a precaution. This rapid spread highlights how a single exploit can trigger a liquidity freeze across interconnected DeFi systems.
Contagion Through Lending Protocols and Debt Accumulation
The attack vector was a sophisticated spoof, not a direct smart contract exploit. The attacker manipulated a misconfigured cross-chain verification setup in Kelp's bridge, feeding false data to its single-point-of-failure verification network. This tricked the Ethereum contract into releasing funds based on a phantom token burn, allowing the theft of 116,500 rsETH, worth about $292 million.
The stolen collateral flooded lending markets, creating a massive liquidity crunch. Protocols like Aave, SparkLend, and Fluid were forced to act immediately. Aave's Guardian froze rsETH markets across its V3 and V4 platforms starting at 18:52 UTC on April 18, halting new deposits and borrows against the token. This freeze was a direct response to the sudden, uncollateralized debt load from the stolen assets.
The bridge's design amplified the contagion. By holding reserves backing wrapped rsETH across 20+ chains, the theft potentially undercollateralized every non-Ethereum deployment of the token. This systemic risk triggered a broader ecosystem freeze, with Lido pausing earnETH deposits and Ethena pausing its LayerZero bridges as a precaution. The attack exposed how a single, poorly secured verification layer can poison data across an entire network of interconnected protocols.
Systemic Risk Exposure and Verification Layer Vulnerabilities
The hack has intensified sector-wide doubts about DeFi resilience, triggering a sharp negative sentiment shift. The immediate fallout spread far beyond Kelp, sparking heavy withdrawals from major lending platforms. Data shows Aave saw net outflows of -6,200 ETH (-23%) and similar pressure across other protocols, creating a cascading liquidity stress. This panic reflects a broader loss of confidence in cross-chain security, with the attack exposing how flexible "modular" infrastructure without strong minimum standards can create systemic risk.
The primary risk is the long-term depegging of rsETH and the potential for further collateral liquidations. With the bridge's reserve drained, the backing for wrapped rsETH on over 20 networks is now in question. This creates a feedback loop where holders on Layer 2s may panic and redeem, pressuring the unaffected Ethereum supply. The over $280 million in bad debt across protocols acts as a persistent overhang, increasing the likelihood of forced liquidations if the token's peg cannot be restored.
The key catalysts to watch are the resolution of the Arbitrum Security Council's freeze on over 30,000 ETH of attacker funds and any official redemption plan from Kelp DAO. The Council's intervention, which froze a significant portion of the attacker's downstream funds, is a critical first step in containing the damage. However, the ultimate recovery path depends on Kelp DAO's ability to address the verification layer flaw and provide a credible plan to redeem tokens, which will determine whether rsETH can regain its peg or face a prolonged depegging event.