On April 5, 2026, the liquid restaking protocol KelpDAO fell victim to the largest DeFi exploit of the year. An attacker drained approximately $293.7 million worth of rsETH by exploiting a vulnerability in the protocol’s bridge contract. The stolen tokens were rapidly swapped into ETH and distributed across Ethereum and Arbitrum, with $178 million landing on the mainnet and $72 million on the layer-2 network.
But the KelpDAO incident is not just another hack story. It is a textbook example of cross-protocol contagion — a phenomenon where a single vulnerability in one protocol cascades across multiple platforms, creating bad debt, forcing emergency market freezes, and impacting users who never directly interacted with the compromised project. As of April 8, 2026, Bitcoin trades around $71,123 and Ethereum at $2,190, and the broader DeFi ecosystem is still absorbing the shockwaves of this event.
TL;DR
- KelpDAO lost ~$293.7 million in a bridge contract exploit on April 5, 2026
- The attacker created unbacked rsETH and used it to borrow real assets from lending protocols
- At least 9 protocols were affected, including Aave V3, Compound V3, Euler, SparkLend, and Fluid
- Cross-protocol contagion means a hack in one protocol can impact your funds in a completely different platform
- Understanding how contagion works is essential for managing DeFi risk in 2026
What Is Cross-Protocol Contagion?
In traditional finance, contagion refers to the domino effect where one institution’s failure triggers losses at connected institutions. The concept is identical in DeFi, except the connections are not based on trust or contracts — they are hard-coded into smart contracts.
When a token like rsETH is used as collateral across multiple lending platforms, a vulnerability in the token’s issuance mechanism can instantly create unbacked debt on every platform that accepts it. The attacker does not need to hack each protocol individually. The poisoned asset does the work automatically.
On-chain security firm Cyvers, which detected the breach in its early stages, explained that the attacker exploited the bridge contract to mint unbacked rsETH. Those tokens were then deposited into Aave V3, Compound V3, and Euler, where the attacker borrowed substantial amounts of WETH against them. The result was more than $236 million in unbacked debt spread across the DeFi ecosystem.
How the Attack Unfolded
Understanding the mechanics of this exploit helps you recognize similar patterns in the future. Here is a simplified breakdown of the attack path:
- Bridge contract manipulation: The attacker identified and exploited a vulnerability in KelpDAO’s cross-chain bridge contract, which handles rsETH transfers between Ethereum and various layer-2 networks.
- Minting unbacked rsETH: By exploiting the bridge logic, the attacker was able to create rsETH tokens that were not backed by any actual staked ETH.
- Rapid conversion: The stolen rsETH was immediately swapped into ETH and spread across Ethereum ($178 million) and Arbitrum ($72 million) to complicate recovery efforts.
- Leverage through lending: The attacker deposited the unbacked rsETH into major lending protocols and borrowed real WETH against it, extracting genuine value from the system.
- Contagion spread: At least nine protocols found themselves holding worthless rsETH collateral, forcing emergency responses across the ecosystem.
The Emergency Response
The speed and scale of the response from major DeFi protocols demonstrates both the severity of the incident and how the ecosystem has matured in handling crises. Aave V3 froze rsETH markets within hours. SparkLend froze its exposure. Fluid, Compound, Euler, and other protocols moved swiftly to contain the risk.
KelpDAO confirmed the breach and paused rsETH contracts across the mainnet and several layer-2 networks. The team partnered with LayerZero, Unichain, their auditors, and external security experts to investigate and resolve the issue.
These emergency freezes, while necessary, created a new problem for users: their funds were locked in frozen markets, unable to be withdrawn or traded. Even users who had never touched KelpDAO directly found their positions affected if they held rsETH or had positions in protocols that accepted it as collateral.
Why Deeply Integrated Assets Are High-Risk
Cyvers noted that assets deeply integrated across lending, vaults, and liquidity protocols are particularly susceptible to contagion. When a token serves as collateral, a trading pair, and a yield-bearing instrument simultaneously, a single point of failure in its issuance mechanism can cascade through every protocol that touches it.
This is not unique to rsETH. Any liquid staking token, restaking token, or wrapped asset that is widely accepted as collateral carries this inherent risk. The more protocols that integrate an asset, the larger the blast radius when something goes wrong.
Practical Steps to Protect Yourself
While you cannot eliminate risk entirely in DeFi, you can take concrete steps to reduce your exposure to cross-protocol contagion:
- Diversify your collateral: Avoid concentrating your collateral in a single liquid staking or restaking token. If one token becomes compromised, only a portion of your positions will be affected.
- Monitor protocol integration depth: Before using a token as collateral, check how many protocols accept it. Wider integration means larger contagion risk.
- Follow on-chain security alerts: Services like Cyvers, Forta, and BlockSec provide real-time alerts for suspicious on-chain activity. Early detection can give you hours of advance warning.
- Understand the bridge risk: Bridge contracts remain one of the most attacked components in DeFi. Tokens that rely heavily on cross-chain bridges carry additional attack surface.
- Keep emergency exit plans: Know which protocols allow emergency withdrawals and how quickly you can move your funds if a related protocol is compromised.
Why This Matters
The KelpDAO exploit is not an isolated incident. April 2026 saw over $651 million in crypto losses from approximately 30 separate incidents, making it one of the most targeted months in DeFi history according to DefiLlama data. The total value lost to crypto hacks now exceeds $16.5 billion, with DeFi-specific losses approaching $7.7 billion.
As the DeFi ecosystem grows and protocols become more interconnected, the blast radius of individual exploits will continue to expand. Understanding how cross-protocol contagion works is no longer optional knowledge — it is fundamental risk management for anyone participating in decentralized finance.
The tools and frameworks for responding to these incidents are improving. Aave, Compound, and other major protocols demonstrated rapid freeze capabilities during the KelpDAO incident. But prevention remains more effective than crisis response, and that starts with users who understand the risks.
Disclaimer: This article is for educational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk, including the potential loss of principal. Always conduct your own research before interacting with any DeFi protocol.
9 protocols affected from one bridge bug. composability is a feature until it becomes a weapon against your portfolio
bridge_orphan 9 protocols hit and Aave V3 was one of them. composability is a feature until someone creates fake rsETH and borrows real ETH against it on your platform
Raj Patel is right. Most bridge audits only check code logic but ignore economic attack vectors. rsETH borrowing real ETH was the fatal flaw
attacker created unbacked rsETH and used it as collateral across lending markets. the design flaw was letting the same asset be collateral everywhere
Bridge exploits are becoming way too common. The contagion aspect here is what really scares me; it’s not just about one protocol failing, it’s about the domino effect across the entire ecosystem. We need better audit standards for cross-chain liquidity before we can truly call DeFi ‘safe’ for the average user.
^ the audit standards point is key. most bridge audits cover the contract logic but miss the economic attack vectors around unbacked collateral
Raj Patel audit standards for bridge contracts need to include economic attack vectors not just code logic. most audits check if the code does what it should, not what happens when someone mints unbacked tokens
Raj Patel audit standards need to include economic attack vectors not just code logic. how many more 293m exploits before that becomes standard
This was a tough pill to swallow for KelpDAO users, but the analysis here is spot on. These events, as painful as they are, provide the stress tests we need to build more resilient infrastructure. It’s a reminder that composability is a double-edged sword—great for capital efficiency, but a nightmare for risk mitigation when things go south.
Man, I almost moved some eth over to Kelp last week. Dodged a bullet there. The way these protocols are all linked up makes it feel like we’re playing a giant game of Jenga. Definitely going to be more careful with where I park my assets and pay closer attention to bridge dependencies from now on.
This Jenga analogy is perfect. Every protocol touching another chain creates domino risk we don’t price in properly
chain_detective the jenga analogy is perfect. one bridge bug and 9 protocols had bad debt. aave v3 getting hit shows nobody is safe from contagion
One bridge exploit affecting 9 protocols. This shows exactly why composability is dangerous without proper economic security models