Kelp just lost $293M and took nine other protocols down with it, proving that restaking's biggest promise is also its biggest liability.
The Summary
- Kelp's restaking platform was exploited for $293 million, triggering what security firm Cyvers called "cross-protocol contagion" across at least nine crypto protocols
- The attack exposed systemic vulnerabilities in DeFi, showing how interconnected protocols can amplify single points of failure
- Restaking, sold as a way to maximize capital efficiency, just demonstrated how efficiency and fragility are two sides of the same coin
The Signal
Restaking was supposed to be DeFi's next evolution. Instead of your ETH just sitting there securing Ethereum, restaking lets you use it again to secure other protocols. More yield, same capital. Kelp was one of the platforms making this possible.
The $293M exploit didn't just drain Kelp. It cascaded through nine different protocols that had built on top of Kelp's infrastructure. That's the "cross-protocol contagion" part. When one domino falls in a tightly coupled system, you find out real fast how many other dominos were leaning on it.
"Capital efficiency in DeFi means your assets are working harder. It also means when something breaks, it breaks everywhere at once."
Here's what matters for Web3's pitch about ownership and assets:
- Users thought they owned their staked assets, secured by code
- Those assets were actually dependencies in a chain of protocols
- One vulnerability meant nine protocols lost access to capital simultaneously
The restaking model works like this: you stake ETH to secure Ethereum (Layer 1). Then you "restake" that same ETH to secure other protocols built on Ethereum (Layer 2s, rollups, application chains). Your capital does double or triple duty. The yield compounds. So does the risk.
The exploit reveals systemic fragility in how DeFi protocols share infrastructure. When Kelp went down, it wasn't just Kelp users who got hit. Every protocol using Kelp as a trust layer suddenly had a security problem they didn't know they had yesterday.
This is the opposite of the "trustless" pitch. These protocols were all trusting Kelp's code, Kelp's security assumptions, Kelp's audit quality. They were trusting without admitting they were trusting. And $293M just proved that distinction doesn't matter.
The Implication
If you're building on crypto infrastructure, map your dependencies all the way down. Not just what you're directly using, but what those protocols are using, and what secures them. Cross-protocol contagion isn't theoretical anymore.
For anyone holding assets in restaking protocols: understand that higher yields come from leverage and reuse. Your staked ETH isn't just sitting in one place anymore. It's collateral in a system where one smart contract bug can cascade through multiple layers. The efficiency is real. So is the systemic risk.