Kelp DeFi Exploit Hits $293M, Triggers Cross-Protocol Contagion
DM
NewsroomWhy did the Kelp hack spread so quickly across multiple DeFi platforms?
What warning did the Kelp hacking incident send to the entire DeFi industry?
What emergency responses did major DeFi services take after this hacking incident?
- $293 million lost in Kelp attack, immediate fallout on nine DeFi platforms
- Flaws in non-isolated lending and cross-chain bridges exposed as main vulnerabilities
On April 19, 2026, Cointelegraph reported a major exploit of restaking protocol Kelp, resulting in losses estimated at $293 million. The attacker targeted vulnerabilities in Kelp's non-isolated lending structure and cross-chain bridge, sparking a contagion that quickly spread to at least nine connected DeFi protocols, including Aave, Compound, Fluid, SparkLend, and Euler. In response, affected platforms froze relevant markets or activated emergency measures to contain further damage.
Technical analysis from Curve Finance’s founder and security firm Cyvers pointed to the underlying causes of the exploit. Kelp and similar platforms accepted a broad range of tokens as collateral but failed to isolate lending risk. This structure meant that a weakness in any single asset could threaten the entire protocol, allowing vulnerabilities to cascade into other connected systems. The lack of isolated lending pools played a central role in the exploit’s rapid spread.
The attacker also took advantage of flaws in Kelp’s cross-chain bridge design. Cross-chain infrastructure, if not carefully secured, widens the attack surface and can expose multiple protocols to simultaneous risk. This incident highlighted how vulnerabilities in bridging can escalate quickly when assets and operational processes are shared across blockchains.
Security experts also noted that Kelp and its peers did not rigorously evaluate tokens they accepted as collateral. Tokens with weak governance or technical models can introduce threats, especially in DeFi ecosystems designed for composability. The exploit underlined the urgent need for comprehensive security reviews and stricter asset vetting, as failures in these processes can drive systemic risk across the network.
The aftermath prompted both DeFi security analysts and protocol founders to agree that traditional contract-level audits aren't enough in today’s rapidly evolving ecosystem. As protocols become more interconnected, there is a growing need for ongoing risk management across shared infrastructure and integrations. Calls are mounting for more conservative approaches to cross-chain features and asset onboarding standards.
The Kelp event is part of a wider trend of high-profile DeFi exploits in April 2026, driving new debate over systemic risk as platforms grow more complex and interconnected.
As of April 19, 2026, 17:09 UTC, Aave (AAVE) trades at $91.11, marking an 18.6% fall in 24-hour trading volume, per market data. Compound (COMP) trades at $24.96, with a 4.6% decrease over the same period.
Get real-time crypto breaking news on Unblock Media Telegram! (Click)
