ZachXBT Flags $280M+ KelpDAO Exploit Hitting Ethereum DeFi Lending Markets

Key Takeaways:

• ZachXBT flagged a $280M+ theft crossed Ethereum and Arbitrum DeFi protocols connected April 18, 2026.
• KelpDAO’s span exploit created atrocious indebtedness connected Aave V3, with AAVE token dropping astir 10-13%.
• KelpDAO has not confirmed the exploit; analysts are monitoring six identified attacker wallets for betterment clues.

Ethereum DeFi Exploit: KelpDAO rsETH Attack Drains Over $280 Million

Onchain researcher ZachXBT posted the initial alert to his nationalist Telegram transmission soon earlier 3 p.m. ET, listing six wallet addresses tied to the theft and noting that the attacker wallets were funded done Tornado Cash earlier the drain began. His station cited losses exceeding $280 cardinal crossed aggregate DeFi protocols without naming KelpDAO directly, but onchain analysts connected the addresses wrong hours.

“KelpDAO appears to person had $280M+ stolen 1 hr agone connected Ethereum and Arbitrum,” ZachXBT wrote. “The onslaught addresses were funded via Tornado Cash.”

Reports bespeak the attackers exploited a flaw successful KelpDAO’s Layerzero-powered bridge, triggering the unauthorized merchandise of a ample volume of rsETH without depositing caller collateral. The acquired rsETH was past deposited into AaveV3 lending markets connected some Ethereum and Arbitrum, wherever the attacker borrowed important amounts of ETH and different assets against it.

Once the collateral’s validity came into question, those positions near Aave holding atrocious debt. Community estimates of full losses ranged from $100 million to astir $293 million, the equivalent of astir 116,500 rsETH astatine existent prices.

AAVE dropped sharply connected the news. Market information shows the diminution betwixt 10% and 13% wrong hours of the archetypal alert, arsenic the marketplace weighed imaginable atrocious indebtedness vulnerability crossed the protocol’s lending pools.

Liquid restaking tokens similar rsETH beryllium heavy wrong DeFi composability. They are accepted arsenic collateral connected aggregate lending markets simultaneously, which means the exploit tin dispersed losses rapidly crossed platforms. The KelpDAO incidental illustrates that hazard directly.

Attacker wallets listed by ZachXBT showed ample ETH positions held connected Aave and Compound. One code unsocial reportedly held astir $120 cardinal successful ETH connected Aave astatine the clip of detection. Funds were moved rapidly aft the drain.

The usage of Tornado Cash to pre-fund operational wallets earlier the onslaught is simply a modular maneuver for attackers trying to obscure origins. It does not bespeak a caller technique, but it confirms the cognition was deliberate and planned.

As of astir 3 p.m. ET connected April 18, KelpDAO had not published an authoritative connection oregon post-mortem. The assemblage was watching the project’s X relationship and website for a response, arsenic good arsenic Aave governance channels for immoderate exigency actions.

DeFi security firms, including Peckshield, Slowmist, and others, had not yet published elaborate breakdowns astatine the clip of writing, reflecting however rapidly the concern developed. ZachXBT had not posted a follow-up specifically naming KelpDAO successful nationalist channels, but the code overlap drew a wide line.

This incidental is abstracted from the Drift Protocol exploit archetypal reported connected by Bitcoin.com News connected April 1, 2026, which progressive astir $280 cardinal drained chiefly connected Solana earlier USDC was bridged to Ethereum via CCTP. The mechanics, chains, and timelines are distinct.

Anyone holding rsETH oregon related positions connected Aave, Compound, oregon different lending markets was being advised by assemblage members to reappraisal vulnerability portion the concern remained unresolved.

The six attacker wallets identified by ZachXBT stay progressive targets for onchain tracing arsenic analysts enactment to representation wherever the funds moved aft leaving Aave.

Editor’s note: This nonfiction was updated to enactment that the contented was reported arsenic span exploit.