A cross-chain bridge exploit targeting Kelp DAO resulted in approximately $292 million in losses, draining reserves of the protocol’s liquid restaking token rsETH and prompting swift risk controls across decentralized finance (DeFi). Lending platform Aave moved to freeze affected markets to limit potential contagion while assessments continue.
What happened
The incident involved a bridge connected to Kelp DAO, enabling the attacker to siphon funds and deplete rsETH reserves. rsETH is Kelp DAO’s liquid restaking token designed to represent restaked ether and is used across multiple DeFi protocols. The scale of the exploit places it among the most significant DeFi security breaches this year.
Market response and risk controls
In response to the exploit, Aave froze markets with exposure to the impacted assets, a standard risk mitigation measure intended to prevent new borrowing or collateral activity while risk parameters are reviewed. Such freezes are designed to stabilize markets and prevent cascading liquidations or further losses during periods of uncertainty.
About Kelp DAO and rsETH
Kelp DAO is a liquid restaking protocol that issues rsETH, a token intended to provide users with liquidity while their ether participates in restaking strategies. Integration with bridges and other DeFi applications allows rsETH to circulate across networks, increasing utility but also expanding the potential attack surface if cross-chain components are compromised.
Why it matters for DeFi security
The attack underscores persistent vulnerabilities in cross-chain infrastructure, which continues to be a high-value target for exploiters. The scale of the loss and the rapid containment measures highlight the need for rigorous security practices around bridges, including real-time monitoring, conservative risk parameters, and robust incident response frameworks. The episode is likely to prompt a reassessment of cross-chain security protocols across the sector.