Justin Sun Appeals to KelpDAO Hacker After $293M Drain

On April 18, attackers exploited a weakness in a LayerZero bridge and removed 116,500 rsETH tokens, the liquid restaking derivatives tied to staked Ether, from KelpDAO. Justin Sun, founder of Tron, posted on X appealing to the attacker to strike a deal with KelpDAO to limit further harm and wrote, “You can’t spend $300 million anyway.” He also reported recovering about 65,584 ETH, roughly $154 million.

KelpDAO, a multicoin liquidity staking protocol that had about $1.5 billion in value locked at the time, suspended multisig governance, deposit and withdrawal pools, oracles, and the rsETH token across mainnet and Layer-2 networks. The protocol remains frozen while teams conduct assessments and recovery efforts.

Investigations point to a single-deployer verifier (DVN) deployment on the bridge as the vulnerability that allowed the exploit. After obtaining the rsETH, the attacker used those tokens as collateral on Aave to borrow large amounts of ETH, which created bad debt in that market.

The borrowing and ensuing market reactions prompted large withdrawals from liquidity providers. Estimates from market participants put assets pulled from liquidity markets at more than $54 billion as users moved funds from protocols perceived as exposed.

People familiar with the response reported that L1 rsETH is fully collateralized and described the affected Aave market as solvent. They indicated weETH was not affected, liquid vaults were operating normally, and customers of LiquidETH and LiquidUSD should not face drawdowns because any increased borrowing costs in Aave would be offset by the protocol’s reserves.

Governance forum posts show the 1/1 DVN setup was flagged about 15 months before the attack. The decision to deploy a single-verifier configuration on a bridge holding hundreds of millions of dollars has drawn scrutiny from participants and security observers, who noted similar patterns in past breaches later linked to insiders.

The KelpDAO exploit is the largest recorded DeFi attack in 2026 to date. Earlier in April, the Drift Protocol on Solana lost about $285 million in an attack that security analysts linked to a prolonged social-engineering campaign associated with a hacking group. Additional incidents in April affected Hyperbridge, Grinex Exchange, and Rhea Finance. Investigations into the KelpDAO breach and related contagion effects are ongoing.