Hackers have exploited a cross-chain bridge connected to Kelp DAO, resulting in the theft of nearly $300 million in digital assets in what has been reported as the largest decentralised finance exploit of 2026.
The attack targeted a bridge built using LayerZero technology, which enables transfers between different blockchain networks. According to reporting, attackers drained approximately 116,500 rsETH tokens, valued at around $292 million at the time of the incident.
The breach occurred on April 18, 2026, when the attackers executed unauthorised transactions through the bridge infrastructure. Additional attempts to extract funds were identified but did not succeed, which limited the total losses.
Kelp DAO paused affected contracts shortly after detecting the activity, in an effort to prevent further unauthorised transfers.
Cross-chain bridges are designed to facilitate the transfer of assets between separate blockchain ecosystems. These systems rely on validation mechanisms that confirm transactions across networks. In this case, the exploit involved manipulating those mechanisms to authorise withdrawals that were not legitimate.
The stolen assets represent a significant portion of the protocol’s supply. Estimates indicate that the drained funds accounted for roughly 18% of the total rsETH supply at the time.
The incident affected multiple decentralised finance platforms that rely on the same infrastructure, as cross-chain bridges often serve as shared components across different services.
No confirmed attribution has been made regarding the identity of the attackers. Investigations are ongoing, with blockchain analysts tracking the movement of stolen funds across different networks and services.
Cross-chain bridges have been repeatedly targeted in previous incidents due to the large pools of assets they hold and the complexity of their validation systems. Security research has identified these mechanisms as a common point of failure in decentralised finance architectures.
The full technical details of the exploit have not been disclosed. Kelp DAO and associated infrastructure providers have stated that analysis of the incident is ongoing.