rsETH Crypto Theft of $293 Million: How a Bridge Hack Triggered a Cascade Collapse in DeFi
In April 2026, a hacker attack on a cross-chain bridge built on LayerZero led to the theft of 116,500 rsETH tokens—equivalent to nearly $293 million. The incident didn't stop at losses for one protocol: due to rsETH's deep integration into the decentralized finance ecosystem, the fallout quickly spread to at least nine other platforms, including Aave. This event became the largest crypto theft of the year and highlighted the vulnerability of interconnected DeFi protocols.
Anatomy of the Vulnerability: Why rsETH Became the Breaking Point
rsETH is a restaking token from Kelp DAO, representing "re-staked" ETH. Users can deposit assets like stETH or cbETH and receive rsETH, which retains staking rewards while becoming liquid and usable in other DeFi applications. Thanks to this functionality, rsETH gained widespread adoption: it's used in liquidity pools, as collateral for loans, and in yield strategies.
However, this very versatility turned rsETH into a systemic risk. The attack targeted not Kelp DAO itself, but the cross-chain bridge using LayerZero infrastructure to transfer assets between blockchains. The attacker exploited a vulnerability in the cross-chain message verification mechanism, allowing them to generate fake transactions and withdraw tokens without the corresponding reserves.
Cascade Effect: When One Protocol Drags Down the Entire Ecosystem
After the theft, rsETH's price dropped 20% within hours. But the main issue wasn't volatility—it was that the asset was integrated into dozens of protocols. For example:
- Aave immediately froze all markets related to rsETH to prevent new deposits and loans against this asset.
- Liquidity pools on DEXes started experiencing imbalances due to mass withdrawals.
- Several automated yield strategies were manually halted by project teams.
According to Cyvers, at least nine protocols were at risk of partial or full insolvency. As Meir Dolev, the company's technical director, noted, "the protocol was just three minutes away from losing another $100 million," but timely blacklisting of the attacker's address prevented further losses.
Technical Details of the Attack: Where Did the Protection Fail?
Although the full root cause analysis (RCA) report hasn't been published yet, experts point to possible compromise vectors:
- Insufficient source message verification in the LayerZero-based bridge configuration.
- Lack of time delays or multi-sig mechanisms for critical asset transfer operations.
- Overly trustful model between smart contracts on different networks without an additional verification layer.
LayerZero positions itself as an "ultra-lightweight" solution for cross-chain interactions, but in this case, skimping on checks led to catastrophic consequences. This raises an important question: how secure are modern cross-chain infrastructures at scale?
Key Takeaways
- Systemic risk in DeFi grows with composability: the more protocols use the same asset, the higher the chance of a cascade collapse.
- Cross-chain bridges remain one of the most vulnerable infrastructure points: over 60% of all major DeFi thefts in history are linked to bridges.
- Quick team responses can prevent additional losses: in this case, blacklisting the address saved $100 million.
- Restaking tokens require a special security approach, especially when used as collateral.
- Integration with external systems (e.g., LayerZero) requires independent audits, even if the main protocol has been checked.
The Future of DeFi: Lessons from the Disaster
After the incident, Kelp DAO paused rsETH contracts on Ethereum Mainnet and L2 networks. The team is collaborating with LayerZero, Unichain, auditors, and cybersecurity experts for a full investigation.
This case underscores the need to shift from the "trust, but verify" paradigm to "don't trust, verify constantly." In particular, developers should consider:
- Introducing time-delay mechanisms for large transfers via bridges.
- Using second-level oracles to verify asset states before transfer.
- Creating automated triggers to pause integrations during anomalous activity.
DeFi continues to evolve, but without stronger engineering discipline and inter-protocol coordination, such incidents will repeat—with even greater losses.
— Editorial Team
No comments yet.