Key Takeaways:
ZachXBT flagged a $280M+ theft across Ethereum and Arbitrum DeFi protocols on April 18, 2026. KelpDAO’s rsETH minting flaw created bad debt on Aave V3, with AAVE token dropping roughly 10-13%. KelpDAO has not confirmed the exploit; analysts are monitoring six identified attacker wallets for recovery clues. Ethereum DeFi Exploit: KelpDAO rsETH Attack Drains Over $280 Million“KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,” ZachXBT wrote. “The attack addresses were funded via Tornado Cash.”
AAVE dropped sharply on the news. Market data shows the decline between 10% and 13% within hours of the initial alert, as the market weighed potential bad debt exposure across the protocol’s lending pools.
The use of Tornado Cash to pre-fund operational wallets before the attack is a standard tactic for attackers trying to obscure origins. It does not indicate a new technique, but it confirms the operation was deliberate and planned.
As of approximately 3 p.m. ET on April 18, KelpDAO had not published an official statement or post-mortem. The community was watching the project’s X account and website for a response, as well as Aave governance channels for any emergency actions.
Anyone holding rsETH or related positions on Aave, Compound, or other lending markets was being advised by community members to review exposure while the situation remained unresolved.
The six attacker wallets identified by ZachXBT remain active targets for onchain tracing as analysts work to map where the funds moved after leaving Aave.
