$280M+ Exploit Hits KelpDAO: rsETH Breach Leaves Aave Facing Major Bad Debt
April 18, 2026 In one of the most significant DeFi incidents of the year, KelpDAO has reportedly suffered a massive exploit involving its liquid restaking token, rsETH.
Early on-chain estimates suggest losses ranging between $100 million and $293 million, with some analysts pointing to approximately 116,500 ETH drained, valued at over $280 million.
The impact is already spreading across the ecosystem most notably to Aave V3, which may now be dealing with hundreds of millions in bad debt.
What Happened?
The exploit unfolded rapidly across Ethereum and Arbitrum.
According to preliminary on-chain analysis:
- Unauthorized rsETH Minting
Attackers appear to have exploited a vulnerability possibly in smart contract logic, oracle design, or access controls to mint large amounts of rsETH without proper collateral. - Leveraging Lending Protocols
The inflated rsETH was deposited into Aave V3 as collateral. - Mass Borrowing
Using this collateral, attackers borrowed significant amounts of ETH and other assets. - Fund Extraction and Obfuscation
The borrowed funds were withdrawn and partially routed through Tornado Cash to obscure transaction trails.
Key Wallets Involved
On-chain analysts have identified several addresses linked to the exploit:
0x5d3919F12bCc35c26Eee5F8226A9bee90c257Ccc0xBb6A6006Eb71205e977eCeb19FCaD1C8d631C7870x1F4C1c2e610f089D6914c4448E6F21Cb0db3adeF0xeBA786C9517a4823A5cFD9c72e4E80BF8168129B0xCBb24A6B4DAfaAA1a759A2F413eA0eB6AE1455CC0x8d11AeAC74267DD5C56D371bf4AE1AFA174C2d49
Additional wallets are actively moving funds, with some reportedly handling tens to over $100 million in assets before bridging or mixing.
Why This Attack Is So Dangerous
This wasn’t just a single protocol failure.
It exposed a core weakness in DeFi composability:
When one protocol’s asset is trusted as collateral elsewhere,
a single vulnerability can trigger a system-wide impact.
Just days before the exploit:
- rsETH collateral on Aave exceeded $1.2 billion
- KelpDAO TVL stood at approximately $1.33 billion
That interconnected exposure amplified the damage instantly.
Market Impact
📉 Aave Takes a Hit
- Potential hundreds of millions in bad debt
- $AAVE token dropped 11–13% shortly after the news
⚠️ rsETH Confidence Shaken
- Risk of depegging
- Loss of trust in restaking derivatives
🌐 Restaking Narrative Under Pressure
The exploit raises fresh concerns about:
- Liquid restaking safety
- Oracle reliability
- Cross-protocol dependencies
Immediate Reactions
Some platforms have already taken precautionary steps:
- Vaults linked to rsETH have paused deposits and withdrawals
- Other unaffected products remain operational
Meanwhile, the crypto community is actively tracking movements, with calls for investigation similar to past work by ZachXBT.
What Happens Next?
As of now, no full post-mortem has been released by KelpDAO.
However, the following are expected:
- Detailed forensic reports from security firms
- Possible emergency updates or parameter changes on Aave
- Governance discussions around handling bad debt
Historically, Aave has managed similar situations but this scale is significantly larger.
What Users Should Do Now
If you’re exposed to rsETH or related protocols:
- Monitor your positions closely
- Review collateral health
- Avoid high-risk restaking strategies for now
This situation is still evolving.
Final Take
This exploit is another reminder that:
👉 DeFi innovation comes with real risk
👉 Composability can amplify vulnerabilities
👉 Security must evolve as fast as the ecosystem
As the industry pushes forward, one question remains:
Can DeFi scale safely…
or are these systemic risks still too big to ignore?
⚠️ Disclaimer
This report is based on preliminary on-chain data and community analysis as of April 18, 2026. Details may evolve as official investigations continue.
