A sophisticated cross-chain exploit on April 18, 2026, resulted in the theft of approximately 116,500 rsETH (worth roughly $272.8–$293 million) from the KelpDAO protocol. The attacker, whose wallet was initially funded with 1 ETH from the Tornado Cash mixer, exploited a critical flaw in the rsETH minting logic on a cross-chain bridge, allowing them to mint unbacked tokens.
The attack unfolded over 46 minutes. The fraudulent rsETH was immediately deposited as collateral on the Aave lending protocol (both V3 and V4 markets), where the attacker borrowed a substantial volume of Wrapped Ethereum (WETH). KelpDAO's emergency "pauseAll" function was triggered 46 minutes after the initial drain, blocking two subsequent attempts to steal an additional $100 million but not before the bulk of the funds were lost.
The fallout was immediate and severe. Aave froze all rsETH markets to contain exposure, but the protocol was left with an estimated $177–$196 million in bad debt. This shortfall is significant enough to potentially activate Aave's Umbrella safety module (holding ~$50 million) and may lead to a haircut for WETH suppliers on the platform. The AAVE governance token dropped as much as 14% following the news.
Other DeFi platforms, including SparkLend, Fluid, and Upshift, also froze rsETH markets to prevent further contagion. The stolen rsETH represented about 18% of the token's circulating supply, causing its trading volume to spike over 100,000% as holders rushed to exit.
The incident has reignited serious concerns about the risks of using Liquid Restaking Tokens (LRTs) like rsETH as collateral in money markets, due to their layered complexity and valuation challenges. It also highlights a troubling trend in DeFi security for 2026, where cumulative losses have already crossed $450 million across roughly 45 protocols, with infrastructure-level attacks like private key compromises and social engineering becoming the dominant vector.
