Home » Crypto News
This became the biggest security incident of 2026 in terms of USD value.
}
function loadTrinityPlayer(targetWrapper, theme,extras=””) {
cleanupPlayer(targetWrapper); // Always clean first ✅
targetWrapper.classList.add(‘played’);
// Create script
const scriptEl = document.createElement(“script”);
scriptEl.setAttribute(“fetchpriority”, “high”);
scriptEl.setAttribute(“charset”, “UTF-8”);
const scriptURL = new URL(`https://trinitymedia.ai/player/trinity/2900019254/?themeAppearance=${theme}${extras}`);
scriptURL.searchParams.set(“pageURL”, window.location.href);
scriptEl.src = scriptURL.toString();
// Insert player
const placeholder = targetWrapper.querySelector(“.add-before-this”);
placeholder.parentNode.insertBefore(scriptEl, placeholder.nextSibling);
}
function getTheme() {
return document.body.classList.contains(“dark”) ? “dark” : “light”;
}
// Initial Load for Desktop
if (window.innerWidth > 768) {
const desktopBtn = document.getElementById(“desktopPlayBtn”);
if (desktopBtn) {
desktopBtn.addEventListener(“click”, function () {
const desktopWrapper = document.querySelector(“.desktop-player-wrapper.trinity-player-iframe-wrapper”);
if (desktopWrapper) loadTrinityPlayer(desktopWrapper, getTheme(),’&autoplay=1′);
});
}
}
// Mobile Button Click
const mobileBtn = document.getElementById(“mobilePlayBtn”);
if (mobileBtn) {
mobileBtn.addEventListener(“click”, function () {
const mobileWrapper = document.querySelector(“.mobile-player-wrapper.trinity-player-iframe-wrapper”);
if (mobileWrapper) loadTrinityPlayer(mobileWrapper, getTheme(),’&autoplay=1′);
});
}
function reInitButton(container,html){
container.innerHTML = ” + html;
}
// Theme switcher
const destroyButton = document.getElementById(“checkbox”);
if (destroyButton) {
destroyButton.addEventListener(“click”, () => {
setTimeout(() => {
const theme = getTheme();
if (window.innerWidth > 768) {
const desktopWrapper = document.querySelector(“.desktop-player-wrapper.trinity-player-iframe-wrapper”);
if(desktopWrapper.classList.contains(‘played’)){
loadTrinityPlayer(desktopWrapper, theme,’&autoplay=1′);
}else{
reInitButton(desktopWrapper,’Listen‘)
const desktopBtn = document.getElementById(“desktopPlayBtn”);
if (desktopBtn) {
desktopBtn.addEventListener(“click”, function () {
const desktopWrapper = document.querySelector(“.desktop-player-wrapper.trinity-player-iframe-wrapper”);
if (desktopWrapper) loadTrinityPlayer(desktopWrapper,theme,’&autoplay=1’);
});
}
}
} else {
const mobileWrapper = document.querySelector(“.mobile-player-wrapper.trinity-player-iframe-wrapper”);
if(mobileWrapper.classList.contains(‘played’)){
loadTrinityPlayer(mobileWrapper, theme,’&autoplay=1′);
}else{
const mobileBtn = document.getElementById(“mobilePlayBtn”);
if (mobileBtn) {
mobileBtn.addEventListener(“click”, function () {
const mobileWrapper = document.querySelector(“.mobile-player-wrapper.trinity-player-iframe-wrapper”);
if (mobileWrapper) loadTrinityPlayer(mobileWrapper,theme,’&autoplay=1′);
});
}
}
}
}, 100);
});
}
})();
Summarize with AI
Summarize with AI
Multiple on-chain security companies and industry sleuths reported late on Saturday that the liquid restaking protocol KelpDAO had fallen victim to a major hack in which the perpetrators drained nearly $300 million.
The team behind the project confirmed the incident hours later, and added that they have partnered with LayerZero, Unichain, their auditors, and ‘top security experts’ to resolve the issue.
The Biggest Hack of 2026
Cyvers was among the security resources that detected the breach in its initial phase and later provided a more detailed explanation of what happened. According to a post they shared with CryptoPotato, the attacker exploited the protocol’s bridge contract and siphoned roughly $293.7 million from its liquid restaking token, rsETH.
The bad actor moved quickly after taking hold of the funds and swapped them into ETH. They spread them across Ethereum and Arbitrum, with the on-chain activity showing that the attacker split the funds into two batches: $178 million on the former and $72 million on the layer-2 chain.
The stolen rsETH was deposited into lending protocols like Aave V3, Compound V3, and Euler. By using the illicitly obtained funds, they borrowed substantial amounts of WETH, creating more than $236 million in debt.
Cyvers explained that an attacker can end up creating unbacked rsETH and then use it to borrow real assets like ETH, which is “exactly how this kind of exploit blows up so fast.” The security experts added that this immediately became a cross-protocol contagion event, not just a single protocol exploit. Such assets that are deeply integrated across lending, vaults, and liquidity protocols are particularly susceptible to similar incidents, and one failure “does not stay contained.”
Aave V3 froze rsETH markets, SparkLend froze exposure, while Fluid, Compound, Euler, and others moved to contain risk. Cyvers said that at least 9 protocols were affected.
You may also like:
KelpDAO Talks
The project’s official X account confirmed the breach after they had “identified suspicious cross-chain activity involving rsETH.” They said they paused those contracts across the mainnet and several layer-2s as the investigation continued.
Although they are working with LayerZero, Unichain, auditors, and other security experts on the matter, there hasn’t been another update in the past 10 hours as of press time on what’s next and what users might expect.
KelpDAO’s hack became the largest in the industry so far in 2026, surpassing the previous ‘record-holder’, Drift Protocol, whose exploit was for $280 million.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
Source: https://cryptopotato.com/the-biggest-hack-of-2026-what-we-know-about-the-294m-kelpdao-exploit/
