Key Takeaways:
- ZachXBT flagged a $280M+ theft across Ethereum and Arbitrum DeFi protocols on April 18, 2026.
- KelpDAO’s exploit created bad debt on Aave V3, with AAVE token dropping roughly 10-13%.
- KelpDAO has not confirmed the exploit; analysts are monitoring six identified attacker wallets for recovery clues.
Ethereum DeFi Exploit: KelpDAO rsETH Attack Drains Over $280 Million
Onchain investigator ZachXBT posted the initial alert to his public Telegram channel shortly before 3 p.m. ET, listing six wallet addresses tied to the theft and noting that the attacker wallets were funded through Tornado Cash before the drain began. His post cited losses exceeding $280 million across multiple DeFi protocols without naming KelpDAO directly, but onchain analysts connected the addresses within hours.
“KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,” ZachXBT wrote. “The attack addresses were funded via Tornado Cash.”
Reports indicate the attackers exploited a flaw in KelpDAO’s rsETH infrastructure, triggering the unauthorized release of a large volume of the liquid restaking token without depositing new collateral. The acquired rsETH was then deposited into Aave V3 lending markets on both Ethereum and Arbitrum, where the attacker borrowed significant amounts of ETH and other assets against it.
Once the collateral’s validity came into question, those positions left Aave holding bad debt. Community estimates of total losses ranged from $100 million to roughly $293 million, the equivalent of approximately 116,500 rsETH at current prices.
AAVE dropped sharply on the news. Market data shows the decline between 10% and 13% within hours of the initial alert, as the market weighed potential bad debt exposure across the protocol’s lending pools. The AAVE multisig guardian froze rsETH on lending markets, according to onchain data.
Liquid restaking tokens like rsETH sit deep inside DeFi composability. They are accepted as collateral on multiple lending markets simultaneously, which means the exploit can spread losses quickly across platforms. The KelpDAO incident illustrates that risk directly.
Attacker wallets listed by ZachXBT showed large ETH positions held on Aave and Compound. One address alone reportedly held approximately $120 million in ETH on Aave at the time of detection. Funds were moved quickly after the drain.
The use of Tornado Cash to pre-fund operational wallets before the attack is a standard tactic for attackers trying to obscure origins. It does not indicate a new technique, but it confirms the operation was deliberate and planned.
As of approximately 3 p.m. ET on April 18, KelpDAO had not published an official statement or post-mortem. The community was watching the project’s X account and website for a response, as well as Aave governance channels for any emergency actions.
DeFi security firms, including Peckshield, Slowmist, and others, had not yet published detailed breakdowns at the time of writing, reflecting how quickly the situation developed. ZachXBT had not posted a follow-up specifically naming KelpDAO in public channels, but the address overlap drew a clear line.
Drift Protocol Hack 2026: What Happened, Who Lost Money, and What’s Next
A Solana-based perpetual futures exchange lost $286 million in 12 minutes on April 1, 2026, after attackers spent three weeks…
Read Now
Drift Protocol Hack 2026: What Happened, Who Lost Money, and What’s Next
A Solana-based perpetual futures exchange lost $286 million in 12 minutes on April 1, 2026, after attackers spent three weeks…
Read Now
Drift Protocol Hack 2026: What Happened, Who Lost Money, and What’s Next
Read Now
A Solana-based perpetual futures exchange lost $286 million in 12 minutes on April 1, 2026, after attackers spent three weeks…
This incident is separate from the Drift Protocol exploit first reported on by Bitcoin.com News on April 1, 2026, which involved roughly $280 million drained primarily on Solana before USDC was bridged to Ethereum via CCTP. The mechanics, chains, and timelines are distinct.
Anyone holding rsETH or related positions on Aave, Compound, or other lending markets was being advised by community members to review exposure while the situation remained unresolved.
The six attacker wallets identified by ZachXBT remain active targets for onchain tracing as analysts work to map where the funds moved after leaving Aave.
Editor’s note: This article was updated at 4 p.m. ET to note that the Aave multisig guardian froze rsETH on specific lending markets.