On-chain investigator ZachXBT flagged a $280 million+ exploit targeting KelpDAOโs rsETH liquid restaking token on April 18, 2026, draining funds across Ethereum and Arbitrum. The attacker exploited a minting flaw in rsETH to create uncollateralized tokens, deposited them into Aave V3 lending markets, and borrowed real assets against them. The AAVE token dropped 10-13% within hours as the market priced in potential bad debt exposure. KelpDAO had not issued an official response at the time of reporting.
Mint, Deposit, Borrow, Drain: How the Attack Worked
The exploit followed a familiar but highly effective pattern. The attacker appears to have found a flaw in rsETHโs minting logic that allowed the creation of a large volume of the liquid restaking token without providing proper collateral. That inflated rsETH was then deposited into Aave V3 lending pools on both Ethereum and Arbitrum, where the attacker borrowed significant amounts of ETH and other assets against the fraudulent collateral.
Once the underlying rsETH was recognized as worthless, the positions became uncollateralized, leaving Aave with bad debt. Community estimates of total losses ranged from $100 million to roughly $293 million, equivalent to approximately 116,500 ETH at current prices. One attacker wallet alone reportedly held approximately $120 million in ETH on Aave at the time of detection.
KelpDAO Exploit Summary
| Detail | Value |
|---|---|
| Protocol exploited | KelpDAO (rsETH liquid restaking token) |
| Estimated losses | $280 million+ (~116,500 ETH) |
| Chains affected | Ethereum and Arbitrum |
| Attack vector | rsETH minting flaw (uncollateralized tokens) |
| Lending protocols impacted | Aave V3, Compound |
| Attacker wallets identified | 6 (funded via Tornado Cash) |
| AAVE token impact | -10% to -13% within hours |
| Flagged by | ZachXBT (Telegram alert, ~3 PM ET) |
| KelpDAO official response | None at time of reporting |
Tornado Cash Funding, Six Wallets, Zero Response
ZachXBT posted the initial alert to his public Telegram channel shortly before 3 PM ET, listing six wallet addresses tied to the theft. He noted that the attacker wallets were funded through Tornado Cash before the drain began, a standard operational security tactic that confirms the attack was deliberate and pre-planned. โKelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,โ he wrote. โThe attack addresses were funded via Tornado Cash.โ
As of the time of reporting, KelpDAO had not published an official statement, post-mortem, or pause announcement. DeFi security firms including Peckshield and Slowmist had not yet published detailed breakdowns, reflecting how quickly the situation was still developing. The six attacker wallets remain active targets for on-chain tracing.
AAVE Takes the Hit: Composability Risk in Action
The exploit exposed a core risk of DeFi composability. Liquid restaking tokens like rsETH sit deep inside the DeFi stack. They are accepted as collateral across multiple lending markets simultaneously, which means a minting flaw in one protocol can spread losses rapidly to others. When rsETH was used to borrow real assets on Aave and Compound, the bad debt became their problem, not KelpDAOโs.
The AAVE token dropped between 10% and 13% within hours of ZachXBTโs alert as the market weighed the protocolโs potential bad debt exposure. Community members monitoring Aave governance channels were watching for any emergency actions, such as proposals to freeze rsETH as collateral or adjust risk parameters for affected pools.
Third Major DeFi Exploit in April 2026
The KelpDAO exploit is distinct from the Drift Protocol hack on April 1, which drained $285 million from a Solana-based DEX using a fake token and social engineering, and the Rhea Finance exploit on April 16, which hit NEAR Protocolโs largest DeFi hub for $18.4 million through oracle manipulation. Three major DeFi exploits in 18 days, across three different chains (Solana, NEAR, Ethereum/Arbitrum), with combined losses exceeding $580 million, underscores the scale of security risk facing the sector in 2026.
Anyone holding rsETH or related positions on Aave, Compound, or other lending markets was being advised by community members to review their exposure while the situation remained unresolved.
