An attacker reportedly exploited a vulnerability in KelpDAO’s rsETH liquid restaking token on April 18, 2026, draining an estimated $280 million or more across Ethereum and Arbitrum.
Key Takeaways:
Onchain investigator ZachXBT posted the initial alert to his public Telegram channel shortly before 3 p.m. ET, listing six wallet addresses tied to the theft and noting that the attacker wallets were funded through Tornado Cash before the drain began. His post cited losses exceeding $280 million across multiple DeFi protocols without naming KelpDAO directly, but onchain analysts connected the addresses within hours.
“KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,” ZachXBT wrote. “The attack addresses were funded via Tornado Cash.”
Reports indicate the attackers exploited a flaw in KelpDAO’s rsETH infrastructure, triggering the unauthorized release of a large volume of the liquid restaking token without depositing new collateral. The acquired rsETH was then deposited into Aave V3 lending markets on both Ethereum and Arbitrum, where the attacker borrowed significant amounts of ETH and other assets against it.
