$293M stolen from Kelp restaking protocol in major security breach
Blockchain security company Cyvers reports that the security breach triggered a "cross-protocol contagion" affecting no fewer than nine cryptocurrency protocols.
A liquid restaking protocol known as Kelp fell victim to a major cyber attack on Saturday, prompting the platform to immediately suspend smart contracts associated with its restaking token (rsETH) while the team "investigates" the breach following reports indicating losses reaching hundreds of millions of dollars.
"Earlier today, we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several Layer-2s," the Kelp platform said in an X post.
According to blockchain security firm Cyvers, the malicious actor took advantage of a vulnerability in the rsETH adapter bridge contract, which is the software code responsible for managing Kelp's rsETH token, successfully draining approximately $293 million in funds from the platform.
Cyvers informed Cointelegraph that the malicious actor utilized an address funded through the Tornado Cash crypto mixer and has already successfully converted approximately $250 million of the pilfered funds into Ether (ETH), which is the native cryptocurrency of the Ethereum layer-1 blockchain network.
Following the security incident, Aave, a decentralized finance (DeFi) platform, made an announcement stating it had frozen rsETH markets across both Aave V3 and V4. According to Cyvers, a minimum of nine cryptocurrency protocols had exposure to the affected token and subsequently froze activities on their respective platforms as a precautionary measure.
"This is exactly the kind of incident that highlights the risks of composability in DeFi," Deddy Lavid, CEO of Cyvers, told Cointelegraph. Cointelegraph reached out to Kelp but did not obtain a response by the time of publication.
This security breach represents the most recent occurrence in a series of cybersecurity hacks and exploits targeting crypto platforms throughout the past several months, with cryptocurrency losses stemming from hacks and scams reaching a total of approximately $482 million during Q1 2026.
Drift Protocol hacked for $280 million
In April, the decentralized cryptocurrency exchange known as Drift Protocol also experienced a major exploit that resulted in the platform being drained of roughly $280 million.
According to the Drift Protocol team, the attack required "months of deliberate preparation," during which the team was infiltrated by individuals suspected to be North Korean state-affiliated hackers.
In a detailed post-mortem update, the Drift team revealed they initially encountered the attackers at a "major" crypto conference and maintained a collaborative relationship with them spanning several months before the attackers successfully deployed malware onto developer machines and ultimately compromised the platform.