A serious security incident has just occurred in the Ethereum reStaking ecosystem as the Kelp DAO became the target of a large-scale attack, causing estimated losses of up to $293 million and having a ripple effect on the AAVE lending protocol. According to on-chain data analyzed by the community in the early hours after the event, the attacker withdrew all 116,500 rsETH – the Token representing ETH after Staking on the Kelp DAO – through the project's cross-chain bridge before distributing the assets to multiple wallets and gradually Dump into the market.
The hack revealed a vulnerability in the cross-chain bridging mechanism – a crucial component that allows rsETH to move between different blockchains. This was one of the core features that helped Kelp DAO grow rapidly during the Ethereum reStaking wave, as the demand for optimized Staking yields surged over the past year. However, this very cross- chain connection became the weak link that was exploited. The total amount of assets affected reached 116,500 rsETH, equivalent to approximately 18% of the total circulating supply of around 630,000 rsETH – a number large enough to shake the entire related ecosystem.
Notably, the Kelp DAO team detected and reacted quite quickly. Just about 45 minutes after the first withdrawal transaction was made, the project activated an emergency mechanism, immediately halting all deposits, withdrawals, and transactions related to rsETH. This action helped block two more withdrawal transactions that the hacker was preparing to make, thereby limiting potential further damage.
