What happened: the KelpDAO bridge attack
On April 18, 2026, an attacker exploited a vulnerability in KelpDAO's cross-chain bridge infrastructure to drain $292 million in liquid restaking tokens — making it the largest DeFi exploit of 2026 and one of the ten largest in the industry's history.
KelpDAO is a liquid restaking protocol built on EigenLayer, where users deposit ETH or stETH and receive rsETH — a liquid token representing restaked positions. The bridge connecting rsETH between Ethereum mainnet and Layer 2 networks contained a flaw in its message verification logic. The attacker forged a series of withdrawal messages that the bridge accepted as valid, allowing them to drain the collateral pool.
The exploit triggered an immediate cascade: rsETH depegged to approximately 0.71 ETH within hours as holders rushed to exit. The panic spread to other restaking tokens — weETH (EtherFi) fell 4%, ezETH (Renzo) fell 6%. Total DeFi TVL dropped from roughly $115 billion to $102 billion within 48 hours as the sector absorbed the shock.
The $13 billion TVL outflow
The $13 billion TVL outflow that followed was not caused solely by the exploit itself — it reflected a broader panic withdrawal from restaking protocols and yield-bearing ETH products as confidence in composable DeFi infrastructure temporarily collapsed.
Aave saw over $2.1 billion in withdrawals as users reduced exposure to ETH-correlated collateral. Lido's stETH briefly traded at a 2.1% discount to ETH as sellers overwhelmed DEX liquidity. Pendle Finance, which offers fixed-yield products on restaking tokens, saw its TVL fall by 28% within a week.
However, blue-chip protocols demonstrated genuine resilience. No additional protocol was exploited during the crisis period. Aave's risk parameters correctly prevented any bad debt despite the collateral price movements. Uniswap's liquidity remained deep. The episode stress-tested DeFi's composability stack and most core infrastructure held.
Governance response and recovery
KelpDAO's emergency governance council moved within six hours of the exploit, pausing the bridge and issuing a post-mortem within 24 hours. A recovery plan was structured using the protocol's treasury and a commitment to reimburse affected users through a phased compensation fund.
The exploit immediately prompted calls across the DeFi ecosystem for standardised bridge security requirements. EigenLayer published updated AVS security guidelines. Restaking protocols across the board paused bridge functionality for audits.
As of late May 2026, approximately $180 million of the $292 million had been traced to wallets linked to a state-affiliated hacking group. On-chain investigators noted transaction patterns consistent with previous North Korea-linked DeFi exploits.
What this means for restaking and DeFi composability
The KelpDAO exploit reignited a fundamental debate about DeFi composability risk — the tendency for losses in one protocol to cascade through interconnected systems. Restaking amplifies this risk by design: the same ETH secures multiple layers simultaneously, meaning distress in one layer can propagate to all others.
Security researchers have noted that bridge contracts remain the most dangerous single point of failure in DeFi. Of the top 20 DeFi exploits in history, over 60% involved cross-chain bridge infrastructure. Despite this, bridges are indispensable to the multi-chain ecosystem — the challenge is making them dramatically more secure.
The incident has accelerated interest in formal verification of bridge contracts, time-locks on large withdrawals, and multi-sig governance with hardware security requirements for emergency councils.