#rsETHAttackUpdate

The rsETH exploit that occurred on April 18, 2026, is the largest security incident in the cryptocurrency industry this year, with approximately $293.7 million flowing out of KelpDAO's liquid restaking protocol. The attack exploited vulnerabilities in the protocol's bridge contract, creating a chain reaction that spread across various DeFi platforms and revealed critical systemic risks in cross-chain infrastructure.
This attack methodology is sophisticated but follows familiar patterns seen in previous bridge exploits. The perpetrators leveraged compromised bridges to generate unsupported rsETH tokens, which were then deposited as collateral in major lending protocols including Aave V3, Compound V3, and Euler. Using these illegal assets, the attacker borrowed large amounts of WETH and wstETH, creating over $236 million in bad debt. The stolen funds were split between the Ethereum mainnet and Arbitrum, amounting to $178 million and $72 million respectively, demonstrating the cross-chain nature of this exploit.
Aave emerged as the most significantly impacted protocol, with around $221.39 million in contaminated rsETH collateral used to borrow approximately $190.86 million in WETH and $2.33 million in wstETH across both Ethereum and Arbitrum instances. The protocol service providers issued incident reports outlining two bad debt scenarios ranging from $123.7 million to $230.1 million, prompting immediate risk mitigation steps including freezing the rsETH market on Aave V3 and V4. These actions prevented additional deposits but left existing positions open, triggering user asset withdrawals totaling $10.1 billion as depositors rushed to pull their funds.
The contagion spread beyond Aave to at least nine other protocols. Fluid confirmed it had halted all markets with potential rsETH exposure, while its security partner, Compound, submitted four governance proposals to adjust risk parameters on affected Comet markets. SparkLend froze its exposure, and Euler moved to control risk dissemination. This cross-protocol impact highlights fundamental vulnerabilities in interconnected DeFi architecture, where assets deeply integrated across loans, vaults, and liquidity protocols can transmit failures instantly.
KelpDAO's response involved directly pausing contracts on the mainnet and several layer-2 networks after detecting suspicious cross-chain activity. The team announced partnerships with LayerZero, Unichain, their auditors, and security experts to conduct root cause analysis. However, communication between KelpDAO and the affected protocols appears tense, with reports indicating that LayerZero has yet to issue specific recommendations for modifying the rsETH DVN configuration despite open channels since July 2024.
This incident raises serious questions about bridge security within the restaking ecosystem. As security expert Cyvers noted, the ability to create unsupported synthetic assets via compromised bridges and then use them to borrow real assets demonstrates how rapidly such exploits can evolve. The attack shows that asset distribution across multiple chains does not proportionally distribute risk, and that bridge design has become an integral component of the risk profile for assets in DeFi.
Industry observers note similarities with the previous Drift Protocol exploit, which involved $280 million and has now been surpassed by this attack. The pattern of using compromised collateral to generate bad debt across platforms indicates that current risk management frameworks may be insufficient for the complexities of modern cross-chain DeFi. The Aave community is expected to discuss whether rsETH should be permanently removed from all markets, following the pattern that emerged after previous bad debt incidents.
The post-incident impact continues to evolve as protocols assess their exposure and implement corrective measures. This incident serves as a stark reminder that in the interconnected DeFi landscape, security is only as strong as the weakest link in the chain of integrated protocols. As the industry grapples with the implications of this exploit, focus shifts toward developing more robust cross-chain risk assessment frameworks and improving coordination among protocols when vulnerabilities are discovered.