ZachXBT Flags $280M+ KelpDAO Exploit Hitting Ethereum DeFi Lending Markets

Key Takeaways:

• ZachXBT flagged a $280M+ theft across Ethereum and Arbitrum DeFi protocols on April 18, 2026.
• KelpDAO’s rsETH minting flaw created bad debt on Aave V3, with AAVE token dropping roughly 10-13%.
• KelpDAO has not confirmed the exploit; analysts are monitoring six identified attacker wallets for recovery clues.

Ethereum DeFi Exploit: KelpDAO rsETH Attack Drains Over $280 Million

Onchain investigator ZachXBT posted the initial alert to his public Telegram channel shortly before 3 p.m. ET, listing six wallet addresses tied to the theft and noting that the attacker wallets were funded through Tornado Cash before the drain began. His post cited losses exceeding $280 million across multiple DeFi protocols without naming KelpDAO directly, but on-chain analysts connected the addresses within hours.

The attack followed a well-worn playbook. Reports say the attackers appear to have exploited a flaw in rsETH’s minting logic, creating a large volume of the liquid restaking token without providing proper collateral. That inflated rsETH was then deposited into Aave V3 lending markets on both Ethereum and Arbitrum, where the attacker borrowed significant amounts of ETH and other assets against it.

Once the collateral was recognized as worthless, those positions left Aave holding bad debt. Community estimates of total losses ranged from $100 million to roughly $293 million, the equivalent of approximately 116,500 ETH at current prices.

AAVE dropped sharply on the news. Market data shows the decline between 10% and 13% within hours of the initial alert, as the market weighed potential bad debt exposure across the protocol’s lending pools.

Liquid restaking tokens like rsETH sit deep inside DeFi composability. They are accepted as collateral on multiple lending markets simultaneously, which means a minting exploit can spread losses quickly across platforms. The KelpDAO incident illustrates that risk directly.

Attacker wallets listed by ZachXBT showed large ETH positions held on Aave and Compound. One address alone reportedly held approximately $120 million in ETH on Aave at the time of detection. Funds were moved quickly after the drain.

The use of Tornado Cash to pre-fund operational wallets before the attack is a standard tactic for attackers trying to obscure origins. It does not indicate a new technique, but it confirms the operation was deliberate and planned.

As of approximately 3 p.m. ET on April 18, KelpDAO had not published an official statement or post-mortem. The community was watching the project’s X account and website for a response, as well as Aave governance channels for any emergency actions.

DeFi security firms, including Peckshield, Slowmist, and others, had not yet published detailed breakdowns at the time of writing, reflecting how quickly the situation developed. ZachXBT had not posted a follow-up specifically naming KelpDAO in public channels, but the address overlap drew a clear line.

This incident is separate from the Drift Protocol exploit first reported on by Bitcoin.com News on April 1, 2026, which involved roughly $280 million drained primarily on Solana before USDC was bridged to Ethereum via CCTP. The mechanics, chains, and timelines are distinct.

Anyone holding rsETH or related positions on Aave, Compound, or other lending markets was being advised by community members to review exposure while the situation remained unresolved.

The six attacker wallets identified by ZachXBT remain active targets for onchain tracing as analysts work to map where the funds moved after leaving Aave. Besides onchain analysts like ZachXBT, Bitcoin.com News was the first crypto publication to report on this incident. The situation is still developing.