A critical flaw in Kelp DAO's rsETH minting process allowed an attacker to create tokens without depositing collateral, triggering a $290M crisis that spread across Aave, Lido, and the broader DeFi ecosystem.
What to know
- An attacker exploited a flaw in Kelp DAO's rsETH collateral system, minting rsETH without depositing any ETH.
- The hack, estimated at roughly $290 million, occurred on April 19, 2026, and was reported on April 23.
- Under normal conditions, rsETH is minted when a user deposits ETH as staking collateral — a 1-to-1 backing. The attacker bypassed this entirely.
- The incident cascaded into a system-wide liquidity shock, rattling confidence across DeFi and prompting coordinated recovery efforts.
- Aave, Lido, and EtherFi have stepped in to help bridge the shortfall and contain the damage.
- The event has reignited debate about the risks of liquid restaking tokens and their role in the DeFi lending ecosystem.
The Anatomy of the Exploit
To understand what happened, it helps to understand what rsETH is supposed to be. The design is straightforward: deposit real ETH, receive a token representing it — a receipt backed 1-to-1 by the underlying asset. This is the foundation of liquid staking on Kelp DAO.
The attacker found a way around that requirement entirely. By exploiting a critical flaw in the protocol’s collateral system, they minted rsETH without depositing any ETH at all. This created tokens that were supposed to be backed — but were not.
The exploit itself took place on April 19. But its effects rippled through the ecosystem over the following days, culminating in a crisis that shook confidence across DeFi.
The attacker created tokens that were supposed to be backed — but were not.
The Cascading Liquidity Shock
What started as a single exploit quickly became a system-wide liquidity shock. The unbacked rsETH flowed into lending protocols like Aave, where it could be used as collateral to borrow other assets. When the market realized the tokens were not properly backed, a cascade of liquidations and margin calls followed.
Industry players describe this as one of DeFi's most difficult weeks in recent memory. The incident has rattled confidence not just in Kelp DAO, but in the entire liquid restaking ecosystem. Questions are being raised about whether the underlying design of such tokens is fundamentally sound.
Some users pushed back via Aave’s governance forum, fearing that emergency measures to plug the gap would trigger further liquidations. The tension between swift action and unintended consequences is a recurring theme in DeFi crisis management.
An Industry Response Takes Shape
In the wake of the exploit, industry leaders moved quickly to contain the damage. Lido proposed allocating 6 million in staked ETH to help bridge the shortfall. EtherFi also offered aid, signaling a rare moment of cooperation among competing protocols.
Aave rallied its partners to coordinate a recovery effort, aiming to stabilize the market and prevent the crisis from deepening. The coordinated response is notable — in previous DeFi hacks, such collaboration has been less common.
Aave, Lido, and EtherFi have joined forces to contain the fallout — a rare moment of cooperation in DeFi.
What rsETH Was Supposed to Be
The concept of rsETH is elegant in theory: deposit ETH into a staking pool, receive a liquid token that can be used elsewhere in DeFi while your original stake earns yield. This is the promise of liquid restaking — capital efficiency without sacrificing security.
But the exploit exposed a critical gap between theory and practice. The collateral system was designed to be trustless, yet a single flaw allowed the entire mechanism to be subverted. This raises uncomfortable questions about the complexity of modern DeFi protocols and the difficulty of auditing every edge case.
As one industry observer noted (via newsbtc.com), the event goes beyond a simple hack — it reveals something deeper about the fragility of the current DeFi architecture.
Beyond the Hack: Systemic Risks
The Kelp DAO incident is not just a story about a single exploit. It is a stress test for the entire DeFi ecosystem. When a token like rsETH is used as collateral across multiple platforms, a failure in one place can propagate rapidly.
This is exactly what happened. The unbacked rsETH tokens were leveraged on Aave, creating a web of interconnected risk. The resulting liquidity shock forced protocols to scramble for solutions, highlighting the systemic nature of the problem.
The event also comes at a time when DeFi is already under scrutiny from regulators. While this may not be a regulatory trigger per se, it will certainly add fuel to the debate about how to oversee a system that can lose hundreds of millions in hours.
A failure in one place can propagate rapidly when tokens are used as collateral across multiple platforms.
Looking Ahead
As of the latest reports, recovery efforts are underway but far from complete. The $290 million figure may still change as more details emerge. For now, the focus is on stabilizing the market and restoring confidence.
For Kelp DAO, the path forward will involve auditing its code, compensating affected users, and rebuilding trust. For the wider DeFi ecosystem, the lesson is clear: the complexity of liquid restaking tokens carries hidden risks that can explode with little warning.
The incident will likely accelerate calls for better risk management, more rigorous security audits, and perhaps the development of insurance mechanisms specifically designed for restaking protocols. It may also prompt a reassessment of how deeply these tokens should be integrated into the lending stacks of major platforms like Aave.
The next few weeks will reveal whether DeFi can learn from this crisis — or whether the same pattern will repeat.
