Can you lose money staking Ethereum?

Yes. While base Ethereum staking has a strong safety record, losses can occur through: slashing penalties (validators penalized for misbehavior — rare but possible), smart contract exploits in liquid staking protocols (the Kelp DAO $293M exploit in April 2026 is the largest example), depeg events where LSTs trade below ETH value during market stress (stETH hit 0.93 ETH in May 2022), and protocol shutdowns where services cease operations entirely (Loopring shut down in June 2026 with TVL down 99%). Losses from protocol-level failures differ from losses caused by ETH price decline, which affects all ETH holders equally.

What is Ethereum slashing and how does it work?

Slashing is a penalty mechanism that destroys a portion of a validator's staked ETH when the validator provably misbehaves — specifically, double-signing (attesting to two conflicting blocks) or surround-voting (creating contradictory attestation histories). The base penalty starts at 1/32 of the validator's stake (~1 ETH), but correlated slashing amplifies this: if many validators are slashed within the same 36-day window, the penalty scales proportionally, potentially reaching the validator's entire 32 ETH. Most historical slashing events resulted from infrastructure misconfiguration, not malicious intent.

Has any major liquid staking protocol been hacked?

The largest LST/LRT exploit occurred on April 18, 2026, when Kelp DAO lost $293 million to an attack attributed to North Korea's Lazarus Group. The attacker exploited a bridge vulnerability, not the core restaking contracts. Lido and Rocket Pool — the two largest pure LST protocols — have never been exploited in production. Bedrock suffered a smaller $2 million exploit on its uniBTC product in 2024. The established protocols (Lido since 2020, Rocket Pool since 2021) have the strongest security track records.

What does it mean when stETH depegs from ETH?

A depeg occurs when a liquid staking token trades below its underlying ETH value on secondary markets. During the May 2022 Terra/Luna collapse, stETH traded as low as 0.93 ETH — a 7% discount. This was a liquidity event (sellers outnumbered buyers), not an insolvency event (Lido's contracts still held 1:1 backing). After Ethereum's Shanghai upgrade in April 2023 enabled native withdrawals, stETH peg stability improved significantly because holders gained a direct redemption path to ETH.

How do I protect my staked ETH?

Key risk mitigation strategies: (1) Diversify across protocols — don't stake 100% of your ETH in a single protocol. (2) Prefer battle-tested protocols — Lido and Rocket Pool have 4+ years of production history without exploit. (3) Check audit history before depositing. (4) Monitor depeg risk — if your LST trades at a persistent discount, investigate why. (5) For solo stakers, use DVT (Distributed Validator Technology) to eliminate single points of failure. (6) Avoid newer LRT protocols with unproven bridge infrastructure. (7) Keep some ETH unstaked as a liquidity buffer.

What protocols have shut down in 2026?

Loopring, a pioneering Ethereum zk-rollup DEX, shut down all trading services on June 29, 2026, citing lack of user adoption. TVL had collapsed 99% from its $760 million November 2021 peak to approximately $8 million. LRC was delisted from Upbit and Binance, with price falling from an ATH of $3.75 to approximately $0.01. Swell Network discontinued its proprietary Swellchain L2 in June 2026. More than 60 crypto projects and protocols shuttered services in 2026 according to industry tracking.

Deep Dive · Security

Ethereum Staking Safety: Slashing, Exploits, Depegs, and How to Protect Your ETH (2026)

Every way Ethereum staking can go wrong — smart contract exploits ($293M Kelp DAO hack), depeg events (stETH at 0.93), protocol shutdowns (Loopring), slashing, regulatory action (Kraken SEC), and centralization risk — with real case studies and specific mitigation strategies.

Largest Exploit

$293M

Worst Depeg

0.93 ETH

Protocols Shut Down

60+

EF DVT Stake

72K ETH

Published 2026-06-29 · Updated 2026-06-29

Disclaimer

This article covers staking risks for educational purposes. It is not financial advice. Staking involves risk of partial or total loss of staked assets. Past security track records do not guarantee future safety. DYOR. NFA.

TL;DR

Ethereum staking is not risk-free. The Kelp DAO $293M exploit (April 2026, Lazarus Group) proved that even billion-dollar restaking protocols can be breached through bridge vulnerabilities. The stETH depeg to 0.93 ETH during the 2022 Terra collapse showed that liquid staking tokens can disconnect from their underlying value during market stress. And Loopring's June 2026 shutdown — TVL down 99%, token down 99.7% — proved that protocol death is a real outcome, even for early innovators.

This guide catalogs every major risk category — slashing, smart contracts, depegs, centralization, regulatory, and protocol death — with real-world case studies, severity assessments, and specific mitigation strategies. It covers what went wrong, what protected users who survived, and what to check before depositing into any staking protocol.

The Risk Taxonomy: Six Ways Staking Can Go Wrong

Every staking method carries risk. The question is not whether risk exists but which risks you are accepting and whether the yield compensates for them. The six major categories, ranked by historical severity:

Risk	Severity	Worst Case	Real Example	Affected Protocols
Smart Contract Exploit	Critical	Total fund loss	Kelp DAO $293M (Apr 2026)	All LSTs/LRTs
Protocol Death	Critical	Total value loss	Loopring -99% (Jun 2026)	Smaller protocols
Depeg Event	High	Forced sell at discount	stETH 0.93 ETH (May 2022)	All LSTs
Regulatory Action	High	Service shutdown	Kraken $30M SEC (Feb 2023)	CEX staking
Slashing	Medium	Partial stake loss	Rare; infrastructure errors	All staking
Centralization	Systemic	Network-level failure	Lido ~28% concentration	Network-wide

Smart Contract Exploits: The $293M Wake-Up Call

Smart contract risk is the most severe and most unpredictable threat to staked assets. Unlike slashing (which is bounded by protocol rules) or depeg events (which are temporary), a smart contract exploit can result in total, irrecoverable fund loss.

Case study — Kelp DAO, April 18, 2026: An attacker linked to North Korea's Lazarus Group exploited a 1-of-1 bridge vulnerability to mint 116,500 unbacked rsETH on Ethereum mainnet — approximately $293 million. The core restaking contracts were NOT breached; the vulnerability was in the bridge infrastructure that moved rsETH between chains. The exploit triggered a $13 billion DeFi-wide TVL drawdown. Kelp recovered full backing by May 14, but the event permanently established that LRT bridge infrastructure is the category's weakest link.

What protected users: Kelp's core protocol maintained 1:1 backing throughout the exploit. Users who held rsETH on Ethereum mainnet (not on an L2 via the compromised bridge) were not directly affected. The key lesson: the bridge is not the protocol. Evaluating an LRT's security requires evaluating every piece of infrastructure it touches, not just the staking contracts.

Track record by protocol age: Lido (live since December 2020) and Rocket Pool (live since November 2021) have never been exploited in production. The probability of a smart contract exploit correlates inversely with time in production — protocols that have survived 3+ years of adversarial conditions have demonstrated meaningful resilience, though it is never zero.

Protocol Death: When Services Shut Down

More than 60 crypto projects and protocols shuttered services in 2026. Protocol death is not a black swan — it is a recurring market feature, especially for smaller teams during extended bear markets.

Case study — Loopring, June 29, 2026: Loopring, a pioneering Ethereum zk-rollup DEX that launched in 2019, shut down all trading services immediately, citing permanent lack of user adoption. "We are coders, not business operators," the team wrote. TVL had collapsed from a November 2021 peak of $760 million to approximately $8 million — a 99% decline. LRC was delisted from Upbit (citing transparency concerns) and Binance, with price falling from an ATH of $3.75 to approximately $0.01. The team acknowledged their early architecture "has been outpaced" by modern zkEVM solutions.

What to watch for: Declining TVL (especially drops of 80%+ from peak), exchange delistings, team departures, reduced GitHub activity, and cessation of community communications. Swell Network's June 2026 discontinuation of its proprietary Swellchain L2 — while not a full shutdown — followed a similar pattern of retreating from an ambitious roadmap under market pressure.

Depeg Events: When LSTs Break From ETH

A depeg occurs when a liquid staking token trades below its underlying ETH value on secondary markets. This is typically a liquidity event — more sellers than buyers — not an insolvency event.

The stETH depeg (May 2022): During the Terra/Luna collapse, stETH traded as low as 0.93 ETH — a 7% discount. At the time, Ethereum had not yet enabled staking withdrawals (Shanghai upgrade came in April 2023), so there was no direct redemption path. Holders who needed liquidity were forced to sell on Curve at a discount. This was the market pricing in the risk that stETH might not be redeemable for a long time — not a failure of Lido's contracts. Since Shanghai enabled withdrawals, stETH peg stability has improved substantially because holders can redeem directly for ETH through Lido.

Mitigation: Choose LSTs with direct protocol-level redemption (not just DEX liquidity). stETH, rETH, cbETH, and most major LSTs now support native withdrawals. Check the withdrawal queue length — during periods of high demand, redemptions can take days.

Slashing: The Theoretical vs Actual Risk

Slashing is the Ethereum protocol's punishment for validator misbehavior — specifically, double-signing (attesting to two conflicting blocks) or surround-voting (creating contradictory attestation histories). The base penalty is approximately 1/32 of the validator's 32 ETH stake (~1 ETH). However, correlated slashing amplifies the penalty: if many validators are slashed within the same 36-day window, each individual penalty scales proportionally, potentially reaching the full 32 ETH stake.

In practice: Slashing has been rare on Ethereum's beacon chain. Most historical slashing events resulted from infrastructure misconfiguration (running the same validator key on two machines simultaneously) rather than malicious intent. Professional node operators running Lido and Rocket Pool validators have extensive anti-slashing protections including slashing protection databases and key management systems.

Restaking amplifies the surface: Validators who opt into EigenLayer restaking face slashing conditions from both Ethereum AND each AVS they secure. This is the fundamental trade-off of restaking: supplemental yield in exchange for an expanded slashing surface. The more AVS a validator secures, the more potential slashing vectors exist.

Centralization: The 28% Problem

Lido controls approximately 28% of all staked Ethereum. If Lido's node operators were to collude or be compromised, they could theoretically influence Ethereum's consensus — a concentration that concerns Ethereum researchers and developers.

Lido has taken steps to address this: the Community Staking Module (CSM) allows permissionless node operators with bonds as low as 1.5 ETH, dual governance gives stETH holders veto power over DAO decisions, and the curated operator set includes 30+ independent entities. But the structural dominance remains — Lido's network share has not meaningfully declined despite these efforts.

Coinbase operates roughly 10-12% of all Ethereum validators, adding another centralization vector from the exchange staking sector. Combined, Lido + Coinbase control approximately 38-40% of all staked ETH through just two entities.

Regulatory Risk: The Kraken Precedent

In February 2023, the SEC ordered Kraken to shut down its US staking service and pay a $30 million fine, alleging that staking-as-a-service constituted unregistered securities. Kraken immediately unstaked all US client assets.

The regulatory landscape has since shifted. In 2025, the SEC clarified that liquid staking activities do not constitute securities transactions, and the IRS/Treasury confirmed that investment trusts and ETPs may stake digital assets. Kraken relaunched compliant staking in January 2026, available in 37 US states. However, state-level restrictions remain in California, New Jersey, South Carolina, and several others — Coinbase staking enrollment is still restricted in those states.

Key takeaway: Regulatory risk primarily affects centralized exchange staking. Decentralized protocols like Lido and Rocket Pool are harder to target because there is no central entity to serve with enforcement actions — though this has not been tested in court.

DVT: The Institutional Safety Standard

Distributed Validator Technology (DVT) is the most significant safety advancement in Ethereum staking since the introduction of liquid staking itself. DVT splits a validator's signing key across multiple nodes using distributed key generation — the complete key never exists on any single machine.

In March 2026, the Ethereum Foundation staked 72,000 ETH using DVT-lite — a simplified distributed validator setup. Vitalik Buterin described it as the model institutional operators should adopt. This endorsement from the Ethereum Foundation itself elevated DVT from "interesting technology" to "institutional baseline expectation."

Leading implementations: Obol Network and SSV Network provide full DVT with distributed key generation across 4-7 nodes. DVT-lite (as used by the Ethereum Foundation) runs multiple nodes under a single operator's control. Origin Protocol's oETH uses DVT for its validator infrastructure. Each DVT node in a cluster needs the same hardware as a solo validator (8-12 cores, 64 GB RAM, 4 TB NVMe), but the redundancy eliminates the single-point-of-failure risk that causes most slashing events.

The Safety Checklist: What to Verify Before Staking

Pre-Deposit Safety Checklist

✓ Protocol has 2+ years of mainnet production without exploit

✓ Multiple independent security audits from reputable firms

✓ Active bug bounty program with meaningful rewards

✓ Direct protocol-level ETH redemption (not DEX-only exit)

✓ Governance timelock on contract upgrades

✓ LST/LRT maintains consistent 1:1 or better ETH backing

✓ Sufficient DEX liquidity for your position size

✓ For LRTs: bridge infrastructure uses multisig (not 1-of-1)

✓ No single protocol holds more than 50% of your staked ETH

✓ You have unstaked ETH as a liquidity buffer

The Bottom Line

Ethereum staking is not risk-free, and the risks are not equally distributed across protocols. The established players — Lido (4+ years, no exploit) and Rocket Pool (4+ years, no exploit) — have demonstrated meaningful resilience. Newer protocols, especially in the liquid restaking category, carry fundamentally higher smart contract and bridge risk, as the Kelp DAO exploit proved with $293 million in losses.

The best risk mitigation is diversification (across protocols, across staking methods, across time) and due diligence (audit history, production track record, withdrawal mechanisms, governance structure). DVT is emerging as the institutional safety standard for validator operations. And the most important safety rule is the simplest: never stake 100% of your ETH in a single protocol, no matter how established it appears.

Monitor Whale Staking Activity in Real Time

Deep Blue Alpha tracks 20,000+ Ethereum whale wallets — including their staking positions, LST holdings, and risk exposure.

Follow the Whales →