#rsETHAttackUpdate

The rsETH exploit that unfolded on April 18, 2026, stands as the largest security incident in the cryptocurrency industry this year, with approximately $293.7 million drained from KelpDAO's liquid restaking protocol. The attack exploited vulnerabilities in the protocol's bridge contract, creating a cascading effect that rippled across multiple DeFi platforms and exposed critical systemic risks in cross-chain infrastructure.

The attack methodology was sophisticated yet followed a familiar pattern seen in previous bridge exploits. The perpetrator leveraged the compromised bridge to generate unbacked rsETH tokens, which were then deposited as collateral across major lending protocols including Aave V3, Compound V3, and Euler. By using these illicitly obtained assets, the attacker borrowed substantial amounts of WETH and wstETH, creating over $236 million in bad debt. The stolen funds were split between Ethereum mainnet and Arbitrum, with $178 million and $72 million respectively, demonstrating the cross-chain nature of the exploit.

Aave emerged as the most significantly impacted protocol, with approximately $221.39 million in tainted rsETH collateral used to borrow around $190.86 million in WETH and $2.33 million in wstETH across both Ethereum and Arbitrum instances. The protocol's service providers published an incident report outlining two bad-debt scenarios ranging from $123.7 million to $230.1 million, prompting immediate risk mitigation measures including the freezing of rsETH markets on both Aave V3 and V4. This action prevented additional deposits but left existing positions exposed, triggering a massive $10.1 billion outflow of user assets from the protocol as depositors rushed to withdraw their funds.

The contagion extended beyond Aave to at least nine protocols total. Fluid confirmed it had paused all markets with potential rsETH exposure, while Compound's security partners submitted four governance proposals to adjust risk parameters on affected Comets. SparkLend froze its exposure, and Euler moved to contain the spreading risk. This cross-protocol impact highlights a fundamental vulnerability in DeFi's interconnected architecture, where assets deeply integrated across lending, vaults, and liquidity protocols can transmit failures instantaneously.

KelpDAO's response involved immediate contract pauses across mainnet and several layer-2 networks upon identifying suspicious cross-chain activity. The team announced partnerships with LayerZero, Unichain, their auditors, and security experts to conduct a root cause analysis. However, communications between KelpDAO and affected protocols appear to have been strained, with reports indicating that LayerZero had not issued specific recommendations to change the rsETH DVN configuration despite an open communication channel since July 2024.

The incident raises serious questions about bridge security in the restaking ecosystem. As Cyvers security experts noted, the ability to create unbacked synthetic assets through compromised bridging pathways and subsequently use them to borrow real assets represents exactly how such exploits escalate rapidly. The attack demonstrates that distributing assets across multiple chains does not distribute risk proportionally, and that bridge design has become an inseparable component of asset risk profiles in DeFi.

Industry observers have noted parallels with the earlier Drift Protocol exploit of $280 million, which this attack has now surpassed. The pattern of using compromised collateral to create bad debt across multiple platforms suggests that current risk management frameworks may be insufficient for the complexity of modern cross-chain DeFi. The Aave community is expected to discuss whether rsETH should be permanently delisted from all markets, following a pattern that has emerged after previous bad debt events.

The aftermath continues to unfold as protocols assess their exposure and implement remediation measures. The incident serves as a stark reminder that in DeFi's interconnected landscape, security is only as strong as the weakest link in the chain of integrated protocols. As the industry grapples with the implications of this exploit, the focus has shifted toward developing more robust cross-chain risk assessment frameworks and improving coordination between protocols when vulnerabilities are discovered.