An attack on the Kelp liquid restaking protocol led to the theft of approximately $293 million, triggering a chain reaction and a sharp liquidity decline across DeFi platforms.
On April 19, the Kelp team, which provides liquid assets for restaking, detected suspicious cross-chain activity involving the rsETH token and urgently paused smart contracts on the mainnet as well as several L2 solutions.
According to analysts at Cyvers, the vulnerability was linked to the adapter bridge contract that manages the token. The attackers withdrew around $293 million in rsETH tokens to an address associated with the Tornado Cash mixer. Approximately $250 million of the stolen assets were converted into ETH, while the remainder was used in further operations within Kelp, increasing pressure on related protocols.
The attack quickly spread beyond a single platform. According to cybersecurity researchers, at least eight DeFi protocols were using rsETH and were forced to restrict operations involving the asset. These included:
- Aave froze rsETH markets in V3 and V4.
- Fluid restricted rsETH operations to prevent further risk propagation and potential borrowing against compromised collateral.
- Compound Finance suspended the use of rsETH as collateral to eliminate the risk of undercollateralized positions.
- SparkLend imposed restrictions on rsETH transactions and tightened risk parameters for associated liquidity pools.
- Euler froze markets exposed to rsETH to avoid cascading liquidations.
- Curve Finance paused infrastructure linked to rsETH and began assessing the impact on related liquidity pools.
- Ethena restricted interactions with affected assets to protect stablecoin mechanisms.
- BitGo suspended use of WBTC-related bridges and integrations to minimize secondary contagion risk.
Many other protocols also introduced precautionary restrictions or temporarily halted rsETH operations amid growing uncertainty. The incident exposed systemic composability risks in DeFi, where a vulnerability in one protocol can propagate across interconnected services.
The consequences of the attack were significant for the decentralized lending market. In Aave, for example, the attacker used stolen assets as collateral to take out loans, generating approximately $195 million in “bad debt,” which triggered a mass liquidity outflow. According to DeFiLlama data, total value locked (TVL) in the protocol dropped from $26.4 billion to $18.6 billion in less than 24 hours. USDT and USDC stablecoin pools became fully utilized, temporarily restricting withdrawals of more than $5.1 billion. The market also reacted with a sharp decline in the AAVE token price, which fell nearly 20%. According to CoinGecko, the asset dropped from $112 to $89.5 within a day.
Experts attribute the root cause of the attack to vulnerabilities in cross-chain infrastructure and the lack of isolation of collateral assets used in DeFi lending. In their assessment, the incident demonstrated how quickly a localized exploit can escalate into a systemic liquidity crisis.
According to Global Ledger data, in 2025, in approximately 68% of attacks, funds began moving before the breach became public knowledge. For more on how to reduce AML team response times and stay ahead of hackers, see this article at CP Media.
