KelpDAO’s rsETH token recorded $936,000 in net outflows from exchanges within days of the protocol resuming operations on May 15, reversing a panic-selling pattern and signaling investor confidence recovery following a $292 million exploit that drained 152,577 rsETH one month earlier.
The Exploit and Immediate Aftermath
On April 18, 2026, KelpDAO fell victim to a cross-chain bridge vulnerability in LayerZero that resulted in the theft of 152,577 rsETH, worth $292 million at the time. The attack triggered a $13.5 billion total value locked (TVL) decline across DeFi protocols and sent immediate panic through the market. On the day of the exploit, 563 rsETH ($1.1 million) flowed into exchanges—a classic panic-liquidation signal. The breach exposed a critical weakness in LayerZero’s bridge architecture and raised systemic questions about cross-chain security protocols used across the DeFi ecosystem.
Recovery Signals in Token Flows
The outflow pattern that emerged post-May 15 represents a structural reversal of exchange behavior. Santiment analytics tracked 435 rsETH ($936,000) moving off exchanges into self-custody wallets, staking platforms, and DeFi protocols—indicating holders are repositioning capital rather than exiting. This contrasts sharply with the April 18 inflow, which signaled distrust. Recovery efforts involved coordinated seizures of hacker positions by KelpDAO, Arbitrum, and Aave DAO, alongside donations from EtherFi, Lido, and Ethena. The outflow data suggests these measures have partially restored protocol confidence among token holders.
Broader DeFi Security Reckoning
KelpDAO’s incident arrives amid a critical year for crypto infrastructure vulnerabilities. Crypto losses from exploits reached $823.9 million in 2026 alone, with LayerZero’s flaw joining separate attacks like THORChain’s $10.8 million hack. These incidents underscore the dependency of DeFi protocols on third-party bridge security and cross-chain verification mechanisms. With total crypto market cap at $2.57 trillion and recent daily declines of 2.74%, investor scrutiny of protocol-level risk management has intensified significantly.
Next Steps and Unresolved Variables
KelpDAO’s May 15 resumption announcement restored basic functionality but critical questions remain. The protocol has not disclosed full details on recovery fund distribution timelines or whether LayerZero has patched the underlying vulnerability. On-chain investigator ZachXBT and others continue tracking hacker fund movements. Institutional confidence hinges on transparent communication about security audits and whether bridging safeguards have been upgraded to prevent similar exploits.
