Kelp Restaking Platform Drained for $293M in Attack Hitting Nine DeFi Protocols

Kelp, a liquid restaking platform built on Ethereum's staking infrastructure, was exploited on April 18, 2026, losing $293 million in what blockchain security firm Cyvers described as a "cross-protocol contagion" event that spread damage across at least nine separate DeFi protocols.

The attack ranks among the largest DeFi exploits on record. The Ronin Bridge hack in March 2022 drained $625 million, and Poly Network lost $611 million in August 2021. At $293 million, the Kelp breach sits in that tier of catastrophic losses, and its ripple effects across nearly a dozen protocols make it structurally more complex than a simple single-contract drain.

Restaking platforms like Kelp allow users to take already-staked assets, such as liquid staking tokens, and stake them again across additional validation layers to earn compounded yield. The model amplifies capital efficiency but also amplifies risk: a single vulnerability in the restaking layer can unwind positions across every protocol integrated with or exposed to the exploited platform. That is precisely what happened here. Cyvers confirmed the initial exploit propagated outward, triggering cascading failures across nine interconnected protocols, though the firm has not yet publicly named all nine affected parties.

The mechanics of the attack have not been fully disclosed as of publication. Smart contract exploits of this scale typically involve flash loan manipulation, oracle price feed abuse, or a flaw in the logic governing how staked assets are accounted for and withdrawn. Given Kelp's architecture, sitting between base-layer staking and secondary yield strategies, a miscalculation in share pricing or a reentrancy vulnerability in the withdrawal function would be consistent with the reported damage. Security researchers are actively reviewing on-chain transaction data, and a full post-mortem is expected within days.

Cross-protocol contagion is the defining feature separating this exploit from a contained breach. When DeFi protocols integrate with one another, they share not just liquidity but counterparty risk. Any protocol that accepted Kelp's receipt tokens as collateral faced an immediate solvency question once those tokens lost backing. Lending markets, yield aggregators, and liquidity pools that held or priced against Kelp-issued assets all experienced sudden, involuntary exposure to the loss. This is the structural fragility that critics of composable DeFi have flagged for years, and the Kelp incident is now the clearest recent example of it materializing at scale.

Defenders of the DeFi model will note that the broader system did not collapse. No bank run swept Ethereum's liquid staking sector, and the nine affected protocols, while damaged, did not trigger a systemic cascade into the wider market. Proponents also point to the growing role of on-chain security monitoring firms like Cyvers, whose real-time detection capabilities far outpace anything available during the 2021 to 2022 exploit wave. A developing market for DeFi insurance exists as well, though coverage at the $293 million scale remains effectively unavailable to most retail participants.

The harder question is what this means for restaking as a category. EigenLayer pioneered the restaking model on Ethereum, and a cohort of platforms including Kelp built liquid restaking layers on top of it, issuing tokens that represent restaked positions. That stack now carries a demonstrated exploit history. Protocols that integrated Kelp-issued tokens as collateral or yield-bearing assets will face governance votes on whether to delist or restrict those assets. Risk frameworks across lending markets will need repricing. The $293 million loss is the immediate damage figure; the secondary cost, measured in reduced integrations, tighter collateral requirements, and slower TVL growth across the restaking sector, will take weeks to quantify.

DeFi's total value locked had been recovering through early 2026 after a prolonged contraction. A breach of this magnitude, one that demonstrates how quickly a single exploit can propagate across nine protocols simultaneously, will pressure that recovery. Institutional participants evaluating on-chain yield strategies now have a fresh data point on tail risk. The Kelp exploit does not end restaking as a concept, but it forces a serious reckoning with how interconnected risk is priced, audited, and absorbed when it materializes.