KelpDAO rsETH Mint Bug Drains Over $280M on Ethereum, Arbitrum
A minting flaw in KelpDAO’s rsETH token was exploited on April 18, 2026, allowing an attacker to mint fake rsETH and withdraw more than $280 million from Aave V3 markets.
On April 18, 2026, an attacker exploited a flaw in the minting logic for KelpDAO’s rsETH liquid restaking token and withdrew more than $280 million from Aave V3 lending markets on Ethereum and Arbitrum. Onchain investigator ZachXBT identified six attacker wallets and reported the wallets were pre-funded through Tornado Cash. He wrote, “KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum. The attack addresses were funded via Tornado Cash.”
Onchain analysts say the vulnerability allowed rsETH to be minted without posting equivalent collateral. The attacker deposited the inflated rsETH supply into Aave V3 markets on both chains as collateral, then borrowed large amounts of ETH and other tokens. When the minted rsETH was later recognized as worthless, those borrow positions created bad debt on Aave.
Community estimates of total losses varied, with figures reported between about $100 million and roughly $293 million, equivalent to about 116,500 ETH at current prices. Traces onchain showed large ETH positions linked to the listed attacker addresses; one wallet reportedly held about $120 million in ETH on Aave when investigators first detected the activity.
The AAVE token fell roughly 10% to 13% within hours of the alert as market participants assessed exposure across lending pools. Funds moved quickly after extraction. Analysts tracking the six addresses reported transfers out of Aave and are mapping subsequent routes and possible cash-out paths. The use of Tornado Cash to fund operational wallets before the exploit was noted by multiple investigators.
KelpDAO had not posted an official statement or a post-mortem as of mid-afternoon on April 18, and several DeFi security firms had not released detailed technical breakdowns. Community members were urged to review exposure to rsETH and related positions on Aave, Compound and other lending venues. Analysts monitoring the situation said recovery or mitigation efforts could depend on onchain tracing and any governance or emergency actions taken by affected protocols.
The incident involved rsETH and Aave V3 on Ethereum and Arbitrum. Investigators continue to follow the six attacker wallets for signs of fund movement and information that could assist tracing and any potential recovery efforts.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
