Kelp Exploit Spreads DeFi Contagion as Protocols Freeze rsETH Exposure

KelpDAO’s rsETH incident quickly became a DeFi contagion story because the risk spread beyond the protocol where the suspicious activity started. The counterpoint is that the fastest reactions from KelpDAO, Aave and LayerZero also showed Ethereum DeFi still has some ability to quarantine collateral shocks before every connected protocol turns into a direct exploit victim.

What Happened in the Kelp rsETH Exploit

On April 18, 2026, KelpDAO said it had identified suspicious cross-chain activity involving rsETH and paused contracts across Ethereum mainnet and several Layer 2 networks while it worked with LayerZero, Unichain, auditors and security experts on a root cause analysis.

Cyvers Alerts said about $293.7 million was drained from KelpDAO’s rsETH adapter and said roughly $250 million had already been swapped into ETH, which helps explain why exposed lenders treated the event as a live collateral threat instead of a contained bridge anomaly.

On April 19, 2026, LayerZero said it was in active remediation with KelpDAO and that other applications remained safe while the root cause was still being identified. A single source later pointed to a single-signer bridge setup, but because LayerZero said the root cause was still unresolved, that explanation remained unconfirmed at publication time.

How the Kelp Exploit Spread Contagion Across DeFi

Aave said the rsETH markets on Aave V3 and Aave V4 had been frozen and stressed that Aave’s own contracts were not exploited. That freeze is the clearest example of containment: the protocol treated rsETH as the problem asset and tried to stop fresh borrowing or new deposits from turning an asset-level failure into wider bad debt.

Cointelegraph reported that at least nine DeFi protocols and platforms, including Aave, Fluid, Compound Finance, SparkLend and Euler, were affected and took action after the exploit. In practice, that means rsETH’s role as reusable collateral let a bridge-related failure spill into lending and liquidity venues that were not themselves hacked.

DefiPrime said 116,500 unbacked rsETH, or about 18% of circulating supply, was minted during the incident. The same report said roughly $236 million in WETH was taken from Aave, which helps explain why executives described the fallout as contagion inside Ethereum DeFi rather than a one-protocol exploit.

Ethereum traded at $2,313.53, down 1.95% over 24 hours, as the rsETH shock hit the network’s largest collateral markets.

Why Crypto Executives Say Non-Isolated Lending Amplifies Risk

Cointelegraph reported that Curve founder Michael Egorov warned non-isolated lending exposes users to the risks of all tokens accepted as collateral on a platform. In plain language, one weak collateral listing can leak stress into a shared pool instead of staying boxed inside a single market.

The containment data cuts both ways: Aave said its own contracts were not exploited, while LayerZero said other applications remained safe. That suggests the industry lesson is less about Ethereum failing as a base layer and more about how quickly wrapped collateral can outrun the risk assumptions used to list it.

That same market-structure focus also shows up in Coinwy coverage of RaveDAO Denies Manipulation Amid Binance, Bitget RAVE Probe, Bitcoin Mining Difficulty Falls Slightly in Latest Adjustment and Iran Oil Tanker Fees Still Dominated by USDt, No Signs of BTC Yet: BPI, where infrastructure, settlement design and market plumbing mattered as much as token price.

Outlook: Fast Containment Did Not Remove the Structural Risk

The constructive read for DeFi is that KelpDAO paused rsETH, Aave froze its rsETH markets and LayerZero said remediation was active before there was evidence of chain-wide application failure. The risk case is that at least nine venues still had to react, which shows how much hidden interdependence builds up when a wrapped asset becomes common collateral.

Until an official postmortem appears, the cleanest conclusion is the narrow one supported by the data already in public: KelpDAO identified suspicious cross-chain activity, Cyvers tracked a large drain, Aave moved to freeze exposure and LayerZero said the root cause was still unresolved. That combination makes the rsETH episode a warning about collateral-listing standards and bridge assumptions, not just another isolated exploit headline.