Hackers have reportedly stolen nearly $300 million from decentralized finance (DeFi) platform Kelp DAO.
That’s according to a report Sunday (April 19) from Bloomberg News, which says the incident has triggered a ripple effect across cryptocurrency platforms.
The total losses are estimated at around $293 million, making it the biggest DeFi exploit of the year, the report added.
“We identified suspicious cross-chain activity involving rsETH,” Kelp DAO wrote in a post on social media platform X. “We have paused rsETH contracts across mainnet and several L2s while we investigate.”
According to the report, Kelp DAO is a restaking protocol that allows users to deposit popular staking tokens such as stETH or cbETH and get rsETH in return, using those tokens across other crypto applications while still reaping rewards.
Bloomberg said this flexibility has helped rsETH expand widely across decentralized lending, trading and liquidity platforms, but also made the breach a bigger problem for the market.
Advertisement: Scroll to Continue
“This was not just a protocol exploit, it immediately became a cross-protocol contagion event,” security firm Cyvers said, estimating that the incident impacted at least nine other platforms.
As Bloomberg noted, DeFi protocols are often stacked together. Assets like rsETH are reused across multiple services for purposes like collateral or as liquidity in trading pools. The failure of one piece can threaten the entire structure.
“This is exactly the kind of incident that highlights the risks” of interconnected systems in DeFi, said Cyvers CEO Deddy Lavid. “The challenge is no longer just preventing exploits at the contract level, but understanding how fast they can cascade across integrated protocols.”
The incident follows a $285 million hack on decentralized cryptocurrency exchange Drift earlier this month. Circle’s CEO has faced criticism around his firm’s alleged failure to freeze USDC tokens following the attack.
As PYMNTS wrote last week, incidents such as this one underline the fact that major stablecoin issuers hold onto the technical ability to pause transfers of specific tokens, or even eliminate them entirely through what is known as “burning,” often in reaction to regulatory directives, security incidents or compliance concerns.
“For CFOs accustomed to the predictability of bank deposits or money market funds, this can introduce a new category of risk: not market risk, but governance risk embedded in code,” that report said.
