tradingkey.logo
tradingkey.logo
Search

KelpDAO hit as Tornado Cash-funded wallet steals 116,500 rsETH

CryptopolitanApr 18, 2026 11:44 PM
facebooktwitterlinkedin
View all comments0

A hacker funded his wallet through Tornado Cash on Saturday, waited 10 hours, and then executed a transaction that siphoned $292 million from KelpDAO.

By the time anyone noticed, the money was gone. And by the time KelpDAO paused, two more attempts had failed within minutes.

KelpDAO hacker wanted to drain $391 million

The wallet that carried out the attack was funded through Tornado Cash’s 1 ETH pool. This is a standard obfuscation step that seeded the address with clean gas money.

The wallet called lzReceive on LayerZero’s EndpointV2 contract, and KelpDAO’s OFT bridge released 116,500 rsETH to a separate attacker address. The drain was complete in one transaction.

What followed showed how tight the margins were. The attacker returned twice. Two more LayerZero packets hit the bridge, each targeting 40,000 rsETH, worth about $100 million combined. Both reverted.

Five minutes earlier, Kelp’s emergency pauser multisig had executed pauseAll. The call froze the LRT Deposit Pool, Withdrawal contract, LRT Oracle, and the rsETH token as well. The interval between the successful drain and the pause was 46 minutes. And the interval between the pause and the next attack attempt was five minutes.

KelpDAO’s total loss would have been around $391 million if the attacker’s second and third attempts had succeeded.

The attacker triggers Aave bad debt

The 116,500 rsETH tokens were worth about $292 million at current prices. The amount represents ~18% of rsETH’s circulating supply of ~630,000.

rsETH is a liquid restaking token built on EigenLayer and is deployed across more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle, and Scroll.

The attacker didn’t simply hold the stolen rsETH tokens. According to on-chain data, the tokens were deposited into Aave V3 as collateral to borrow large amounts of Ether and Wrapped Ether. The funds were routed back through Tornado Cash to obscure the trail.

That step turned a bridge exploit into a potential bad debt problem for Aave, one of DeFi’s largest lending platforms. Aave V3 could face up to $177 million in bad debt exposure as a result.

Blockchain investigator ZachXBT flagged the incident on Telegram within an hour. “KelpDAO appears to have had $280M stolen one hour ago on Ethereum and Arbitrum,” he wrote, confirming the hacker wallets were funded via Tornado Cash.

Kelp’s first public statement came on X, more than two and a half hours after the drain. “Earlier today we identified suspicious cross-chain activity involving rsETH,” the protocol wrote. “We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with LayerZero, Unichain, our auditors and top security experts on RCA.”

Aave froze all of rsETH markets on both Aave V3 and V4. The protocol confirmed on X that the vulnerability was in rsETH, not Aave’s own contracts. “We are reviewing information about rsETH borrows on Aave that occurred after the exploit and will share more details as soon as possible,” Aave wrote. The Aave team is also exploring ways to cover the losses.

Aave fell 10.65% on the day to $103.86. Ethereum dropped ~3% and currently trades at $2,358.24.

The attack on KeplerDAO also struck less than two weeks after a $286 million exploit of Drift Protocol, the largest crypto theft of 2026 so far. According to a Cryptopolitan report, the Drift Protocol hack is linked to the same group that stole $1.4 billion from Bybit.

KelpDAO now holds the second spot on the list of biggest crypto hacks in 2026.

Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank

Disclaimer: The information provided on this website is for educational and informational purposes only and should not be considered financial or investment advice.

Comments (0)

Click the $ button, enter the symbol, and select to link a stock, ETF, or other ticker.

0/500
Commenting Guidelines
Loading...

Recommended Articles

tradingkey.logo
* References, analysis, and trading strategies are provided by the third-party provider, Trading Central, and the point of view is based on the independent assessment and judgement of the analyst, without considering the investment objectives and financial situation of the investors.
Risk Warning: Our Website and Mobile App provides only general information on certain investment products. Finsights does not provide, and the provision of such information must not be construed as Finsights providing, financial advice or recommendation for any investment product.
Investment products are subject to significant investment risks, including the possible loss of the principal amount invested and may not be suitable for everyone. Past performance of investment products is not indicative of their future performance.
Finsights may allow third party advertisers or affiliates to place or deliver advertisements on our Website or Mobile App or any part thereof and may be compensated by them based on your interaction with the advertisements.
© Copyright: FINSIGHTS MEDIA PTE. LTD. All Rights Reserved.