- The Kelp DAO attacker moved about 75,700 ETH, worth roughly $175 million, across three transactions today.
- The attacker minted 116,500 reETH on KelpDAO’s bridge to borrow WETH from Aave/Compound, causing bad debt.
- Funds remain unmoved, though they could be laundered on Ethereum; the exploit raises DeFi security concerns.
On April 21, 2026, the KelpDAO attacker moved 75,700 Ethereum (ETH) worth about $175 million at $2,316 per ETH from the mainnet holding address across three large transactions. The attacker exploited a vulnerability in KelpDAO’s rsETH bridge protocol, minting 116,500 rsETH, accounting for part of the total $293M loss.
Kelp DAO Attacker Moves $175M in ETH in Three Transactions
The Kelp DAO attacker moved 75,701 ETH worth $175M at $2,316 per ETH out of the main Ethereum holding address in three large transactions on the Ethereum mainnet.
On-chain data shows that 50,700 ETH, valued at approximately $117.48M, was transferred to two newly created wallet addresses, 0x62c72510016732333e68177d388a8111643FC64E and 0xD4B87bAB0ee142182f7F6DA030AeFe3E7f171530.
An additional 25,000 ETH, worth about $57.9M, was moved from the primary attacker-controlled address, 0xF9802c5EB6b972Ba686aFa7CA615910Ea8310b85.
Source: Arkham Intelligence
This activity follows Arbitrum’s Security Council freezing 30,766 ETH worth $71M linked to the recent $293M KelpDAO bridge exploit involving rsETH on the L2 network earlier the same day. The remaining 75,700 ETH on mainnet was fully extracted before additional freezes could be applied.
How the Attacker Minted 116,500 rsETH from KelpDAO’s bridge
On April 19, 2026, the Kelp DAO attacker exploited a vulnerability in KelpDAO’s rsETH bridge. The underlying vulnerability was the bridge’s 1-of-1 Decentralized Verifier Network (DVN) configuration, a single-verifier setup that provided minimal redundancy.
The attacker called the lzReceive function with a crafted packet that spoofed a legitimate cross-chain message, which the bridge incorrectly accepted as valid, minting 116,500 rsETH and resulting in a total loss of about $293M, marking the fourth-largest exploit of 2026.
The attacker then collateralized the freshly minted rsETH into major lending protocols, including AAVE and Compound, to borrow WETH and ETH, creating significant bad-debt risk across these platforms.
According to sources, the extracted funds, approximately 106,466 ETH, were initially deposited into the address 0x5d3…57Ccc before being clustered under the consolidated “KelpDAO Attacker” entity on Arkham Intelligence.
Source:X
Kelp DAO’s emergency multisig paused core rsETH contracts across mainnet and multiple L2s just 46 minutes after the initial drain, successfully blocking follow-up attempts that could have extracted an additional $200M. The team also immediately launched a joint root-cause analysis (RCA) with LayerZero, Unichain, their auditors, and independent security firms.
What’s the Impact on DeFi Security and On-Chain Risk?
Notably, the 1-of-1 DVN flaw in LayerZero created a single point of failure affecting 40% of protocols, freezing rsETH markets, triggering $124–230M in Aave bad-debt risk, pausing more than 20 chains, and accelerating shifts to multi-verifier, natively issued cross-chain assets.
This rapid laundering via splits and early THORChain routing has heightened MEV congestion, oracle pricing volatility, and contagion fears for any protocol holding bridged LSD collateral. On-chain risk scores now assign elevated probability to “mint-then-borrow” vectors, while wrapped rsETH on L2s faces structural depegging pressure.
Aave governance is modeling two loss-socialization paths (full vs. L2-isolated) to resolve bad debt, while Kelp weighs partial haircuts on bridged positions versus mainnet holders. The protocol has committed to full transparency by publishing a joint root-cause report with LayerZero no later than May 5, 2026, which could drive industry-wide DVN hardening and clearer liability standards.
Related: Aave Under Strain as KelpDAO Exploit Disrupts DeFi Lending Markets
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/kelpdao-attacker-moves-75700-eth-worth-175m-in-three-transactions/
