Key Takeaways:
ZachXBT flagged a $280M+ theft throughout Ethereum and Arbitrum DeFi protocols on April 18, 2026. KelpDAO’s rsETH minting flaw created unhealthy debt on Aave V3, with AAVE token dropping roughly 10-13%. KelpDAO has not confirmed the exploit; analysts are monitoring six recognized attacker wallets for restoration clues.
Ethereum DeFi Exploit: KelpDAO rsETH Assault Drains Over $280 Million
Onchain investigator ZachXBT posted the preliminary alert to his public Telegram channel shortly earlier than 3 p.m. ET, itemizing six pockets addresses tied to the theft and noting that the attacker wallets have been funded by means of Twister Money earlier than the drain started. His submit cited losses exceeding $280 million throughout a number of DeFi protocols with out naming KelpDAO straight, however onchain analysts linked the addresses inside hours.
“KelpDAO seems to have had $280M+ stolen one hour in the past on Ethereum and Arbitrum,” ZachXBT wrote. “The assault addresses have been funded by way of Twister Money.”
The assault adopted a well-worn playbook. Experiences say the attackers seem to have exploited a flaw in rsETH’s minting logic, creating a big quantity of the liquid restaking token with out offering correct collateral. That inflated rsETH was then deposited into Aave V3 lending markets on each Ethereum and Arbitrum, the place the attacker borrowed important quantities of ETH and different property towards it.
As soon as the collateral was acknowledged as nugatory, these positions left Aave holding unhealthy debt. Group estimates of whole losses ranged from $100 million to roughly $293 million, the equal of roughly 116,500 ETH at present costs.
AAVE dropped sharply on the information. Market knowledge reveals the decline between 10% and 13% inside hours of the preliminary alert, because the market weighed potential unhealthy debt publicity throughout the protocol’s lending swimming pools.
Liquid restaking tokens like rsETH sit deep inside DeFi composability. They’re accepted as collateral on a number of lending markets concurrently, which suggests a minting exploit can unfold losses rapidly throughout platforms. The KelpDAO incident illustrates that threat straight.
Attacker wallets listed by ZachXBT confirmed giant ETH positions held on Aave and Compound. One handle alone reportedly held roughly $120 million in ETH on Aave on the time of detection. Funds have been moved rapidly after the drain.
The usage of Twister Money to pre-fund operational wallets earlier than the assault is an ordinary tactic for attackers attempting to obscure origins. It doesn’t point out a brand new approach, however it confirms the operation was deliberate and deliberate.
As of roughly 3 p.m. ET on April 18, KelpDAO had not revealed an official assertion or autopsy. The neighborhood was watching the challenge’s X account and web site for a response, in addition to Aave governance channels for any emergency actions.
DeFi security corporations, together with Peckshield, Slowmist, and others, had not but revealed detailed breakdowns on the time of writing, reflecting how rapidly the state of affairs developed. ZachXBT had not posted a follow-up particularly naming KelpDAO in public channels, however the handle overlap drew a transparent line.
Drift Protocol Hack 2026: What Occurred, Who Misplaced Cash, and What’s Subsequent
A Solana-based perpetual futures alternate misplaced $286 million in 12 minutes on April 1, 2026, after attackers spent three weeks…
Learn Now
Drift Protocol Hack 2026: What Occurred, Who Misplaced Cash, and What’s Subsequent
A Solana-based perpetual futures alternate misplaced $286 million in 12 minutes on April 1, 2026, after attackers spent three weeks…
Learn Now
Drift Protocol Hack 2026: What Occurred, Who Misplaced Cash, and What’s Subsequent
Learn Now
A Solana-based perpetual futures alternate misplaced $286 million in 12 minutes on April 1, 2026, after attackers spent three weeks…
This incident is separate from the Drift Protocol exploit first reported on by Bitcoin.com Information on April 1, 2026, which concerned roughly $280 million drained totally on Solana earlier than USDC was bridged to Ethereum by way of CCTP. The mechanics, chains, and timelines are distinct.
Anybody holding rsETH or associated positions on Aave, Compound, or different lending markets was being suggested by neighborhood members to evaluation publicity whereas the state of affairs remained unresolved.
The six attacker wallets recognized by ZachXBT stay lively targets for onchain tracing as analysts work to map the place the funds moved after leaving Aave.
