Investor confidence in Kelp DAO is showing signs of recovery a month after a devastating $293 million exploit, with on-chain data from Santiment revealing a net outflow of 435 rsETH from exchanges on May 15. This marks a sharp reversal from the day of the hack in mid-April, when panic drove a net inflow of 563 rsETH onto trading platforms as holders rushed to sell.
The breach, now known to be one of the largest DeFi exploits of 2026, targeted Kelp DAO’s cross-chain rsETH token infrastructure. According to a Chainalysis analysis, attackers— linked to North Korea’s Lazarus Group—compromised internal RPC nodes and launched a DDoS attack against external nodes, feeding false data into a 1-of-1 verification path used by LayerZero’s infrastructure. This allowed a forged message to release 116,500 rsETH from the Ethereum-side adapter without a corresponding burn on the source chain, effectively draining the adapter’s reserves.
The fallout has been far-reaching. Aave, a major DeFi lending protocol, published two bad-debt scenarios: under uniform loss socialization, it could face $123.7 million in bad debt, but if losses are isolated to L2 rsETH holders, that figure could climb to $230.1 million. The incident has also shaken confidence in cross-chain bridge security, prompting Lombard Finance to announce the migration of more than $1 billion in bitcoin-backed assets from LayerZero to Chainlink CCIP, calling it a “vote of no confidence” in LayerZero’s bridge security.
In a positive turn for Kelp DAO, the protocol fully restored rsETH withdrawals, bridging, and all operations, which Santiment credits for the recent net outflows. The movement of tokens off exchanges to personal wallets is often interpreted as reduced selling pressure and a return of trust. Still, Kelp DAO has yet to release a full postmortem, and uncertainty lingers for affected users and the broader DeFi ecosystem.
