Written by Helena Markou
The “restaking summer” has hit a brutal winter. On April 19, 2026, Kelp DAO suffered a devastating $293 million exploit, the largest of the year so far. The attacker siphoned over 116,500 rsETH across Ethereum and Arbitrum in a sophisticated strike that exposed the fragile underpinnings of the liquid restaking ecosystem.
The Anatomy of a $250 Attack
The most chilling aspect of the hack was its efficiency. According to on-chain analysis, the attacker executed a single function call on the Kelp DAO contract with just $250 in gas fees to mint unbacked rsETH. This “phantom” collateral was then used to drain liquidity from major lending protocols, most notably Aave, pushing its liquidity pools to a breaking point.
Why This Matters
This isn’t just another hack; it’s a systemic warning. The exploit reportedly involved poisoning the downstream RPC infrastructure, a sophisticated vector that bypasses traditional smart contract audits. As DeFi protocols become more interconnected through restaking and cross-chain bridges, a single point of failure in one “Lego piece” can now trigger a multi-hundred-million-dollar cascade.
The Kelp disaster proves that complexity is the enemy of security. For DeFi to survive 2026, the industry must pivot from chasing yield to hardening the infrastructure that supports it.
