One Hack, Nine Protocols, $292 Million Gone: The Kelp Exploit Exposes DeFi's Contagion Problem

On Saturday afternoon, an attacker sent a fake command to the LayerZero-powered bridge of Kelp DAO. The bridge accepted it as true. In a matter of minutes, 116,500 of rsETH (around 18% of the total circulating supply of the token) was put into the attacker's wallet. When Kelp put their smart contracts on hold, the stolen tokens were already in Aave, Compound, and Euler as collateral for borrowing hundreds of millions of dollars more in wrapped ether. The outcome: Kelp lost approximately $293 million; Aave had $6.6 billion worth of valve locks gone; and at least nine different protocols were trying to freeze their exchange markets that they didn't build.

This wasn't just a Kelp issue; this relates to many protocols' reliance on bridges that are compromised — that is the issue worth thinking about!

How a Single Bridge Hack Became a Multi-Protocol Crisis

Kelp acts as a protocol for liquid restaking. Stakers of ether (stETH) on Kelp receive a token called rsETH that generates rewards, which can ten be utilized in numerous DeFi protocols. However, there were more than 20 active networks on which rsETH tokens circulated as collateral or bet receipts for staking via Kelp, and all were tied to the same Kelp-holding reserves on the bridge. So when the bridge was drained and rsETH tokens circulating as collateral became suspect (regardless of where they originated), protocols that accepted these tokens as collateral had no means of verifying the authenticity of the collateral supporting their loans — Aave, SparkLend, Fluid, Euler, Compound, and others.

Cyvers Blockchain Security labeled this issue a "cross-protocol contagion event" as a result of the protocol exploit. While Aave, Compound, and Euler experienced no fiduciary fault with their contracts, Aave had integrated rsETH into their lending pool and did not segregate it from the rest of their loans, thus escalating the risk posed to their lending pool by rsETH. Subsequently, Aave's token value dropped by 16%. The total value locked in Aave (TVL) dropped from $26.4 billion to approximately $20 billion in several hours. Aave now holds approximately $196 million in bad debt concentrated to the rsETH and wrapped ether pairs, and Aave may have insufficient reserves in its Umbrella Safety Fund.

The Capital Efficiency Trade-Off Nobody Wanted to Make

Michael Egorov, founder of Curve Finance, made it clear that the problems in these structures are made greater through non-isolated lending models, whereby a shared pool among all assets adds additional risk for all of the other assets due to a single pool of risk. If rsETH was insulated in its own lending pool, then when an exploit like this occurs, the contagion is limited to Kelp, rather than affecting other protocols, other users, or other tokens.

The reason many protocols aren't fully isolating their pools is because it reduces capital efficiency. As liquidity from many different protocols is added to a single pool, it allows liquidity to flow more freely without restrictions, which makes it cheaper to borrow against and provides a higher yield on returns generated through lending. By isolating lending pools, the risk contained within each pool is reduced, but it requires the sacrifice of some type of capital efficiency that allows for that liquidity to be generated.

In addition, Egorov pointed to an additional issue with the configuration of Kelp's bridge, which was configured using a single instance of a verifier, meaning that there was only one verification point used to validate cross-chain messages sent to and from these two protocols. This configuration error should have been noted when the bridge was originally brought online, but it was not. Therefore, when one forged message was able to release the entire bridge.

Cross-Chain Infrastructure Is the Weak Link

The attack's cause was not from a bug in a smart contract like we typically see when attacks happen. The hacker used a bridge to hack Kelp. Egorov specifically states: "Cross-chain is difficult and unsafe. Only use cross-chain technology when required and do so extremely carefully. Many people have heard this before and turned the other way because cross-chain is how the industry can create a decentralized finance system across multiple blockchains. If there are ten different networks with your protocol on them, then you need a way to connect all of those networks and these are almost exclusively the site of where the biggest hacks have occurred because they are the boundaries separating each of the separate systems, hence attackers would typically look to hack at the boundaries first.

The Kelp exploit has rapidly become the largest DeFi hack of 2026 and 2026 has only just begun as of the writing of this article (four months into the year). The total amount of crypto lost from hacks, exploits, and scams in the first quarter of 2026 alone was approximately $482 million. Ledger's Security Officer stated that 2026 will "most likely be the worst year for hacks to date, which is a recommendation of a future trend from their current trends.

What Happens to Trust

"DeFi is dead" was one of the most frequent comments by DeFi users on social media following the recent incident — something that is not surprising given the size of the exploit, however; it may not truly be an accurate assessment of what's happening in the DeFi ecosystem at this stage. However, there is something different about the nature of this event's magnitude as it simultaneously affected cross-chain infrastructure, restaking models, and lending markets, and therefore it cannot be classified as a single protocol's weakness/targeted attack; instead, it serves as a stress test to demonstrate how tightly coupled the entire DeFi ecosystem is with respect to its underlying protocols working together.

As Ledger's Security Chief, Guillemet put it 'Overall, this type of eventerodes trust among the DeFi community with regards to DeFi protocol's operational integrity.

On the other hand, Egorov offers an alternative viewpoint — that while a tough environment, crypto has always learned from previous failures in DeFi and gone on to become stronger — although, in principle, he's right. However; learning from these types of incidents typically cost the end user unexpected financial losses. Nine protocols, $293 million worth of cash value lost, and one forged bridge message PYMNTS.com there is no argument here, we have learnt this lesson but how many more times will we need to learn it?