The liquid restaking protocol KelpDAO reportedly suffered a major exploit on April 18, 2026, with total losses estimated at around $292–294 million. The incident occurred after an attacker managed to mint a large amount of fake rsETH tokens and used them as collateral to borrow ETH on lending platforms. This event is now considered the largest DeFi exploit of 2026, surpassing the previous case involving Drift Protocol.

Exploit Timeline and Fund Flow
Based on on-chain data, the attacker successfully minted approximately 116,500 fake rsETH, valued at around $294 million. These tokens were then used as collateral on lending protocols such as Aave.

By leveraging assets with no real backing, the attacker borrowed approximately 106,467 ETH, worth about $250 million. This scheme effectively allowed the attacker to create “empty” liquidity and exchange it for real crypto assets with market value.

Data from blockchain intelligence platforms such as Arkham shows significant fund movements from contracts linked to KelpDAO to various addresses suspected to be controlled by the attacker.
On-chain link: https://intel.arkm.com/explorer/entity/cdbcc1e6-dd2b-4b6c-9112-17ca3eff7bd3

As an initial response, KelpDAO quickly paused its contracts to prevent further exploitation. Several other protocols also implemented mitigation measures by freezing rsETH markets to limit systemic impact.

Suspected Cause and Technical Analysis
So far, the primary cause of the exploit is believed to stem from a vulnerability in the rsETH minting mechanism, which allowed tokens to be created without valid asset backing. According to on-chain analysts, failures in collateral validation or oracle systems may have been the weak points exploited.

“This exploit indicates a failure in the verification process of underlying assets, which should be a fundamental security layer in restaking protocols,” said a DeFi analyst.

This case once again highlights the risks in the liquid restaking sector, particularly in protocols managing staking derivatives like rsETH. The complexity of smart contract architecture and cross-protocol integrations increases the likelihood of exploits if not thoroughly audited.

Impact on Market and Ecosystem
The exploit triggered a rapid response across the DeFi ecosystem, especially among platforms integrated with rsETH. Several lending platforms immediately suspended the use of rsETH as collateral to avoid default risks.

The incident also reshuffled the ranking of the largest exploits this year. Previously, Drift Protocol recorded losses of around $285 million on April 1, 2026. However, with greater losses, KelpDAO now ranks as the largest DeFi hack of 2026.

Market sentiment toward the liquid restaking sector is also expected to face short-term pressure, as concerns over protocol security increase.

Conclusion
The KelpDAO exploit serves as a critical reminder of the high risks within the DeFi ecosystem, particularly in emerging innovations like liquid restaking. While these solutions offer capital efficiency, their technological complexity also introduces potential security vulnerabilities.

Moving forward, transparency, smart contract audits, and robust risk mitigation mechanisms will be key factors in maintaining user trust and the overall stability of the DeFi ecosystem.