A hacker funded his wallet through Tornado Cash on Saturday, waited 10 hours, and then executed a transaction that siphoned $292 million from KelpDAO.
By the time anyone noticed, the money was gone. And by the time KelpDAO paused, two more attempts had failed within minutes.
KelpDAO hacker wanted to drain $391 million
The wallet that carried out the attack was funded through Tornado Cash’s 1 ETH pool. This is a standard obfuscation step that seeded the address with clean gas money.
The wallet called lzReceive on LayerZero’s EndpointV2 contract, and KelpDAO’s OFT bridge released 116,500 rsETH to a separate attacker address. The drain was complete in one transaction.
What followed showed how tight the margins were. The attacker returned twice. Two more LayerZero packets hit the bridge, each targeting 40,000 rsETH, worth about $100 million combined. Both reverted.
Five minutes earlier, Kelp’s emergency pauser multisig had executed pauseAll. The call froze the LRT Deposit Pool, Withdrawal contract, LRT Oracle, and the rsETH token as well. The interval between the successful drain and the pause was 46 minutes. And the interval between the pause and the next attack attempt was five minutes.
KelpDAO’s total loss would have been around $391 million if the attacker’s second and third attempts had succeeded.
The attacker triggers Aave bad debt
The 116,500 rsETH tokens were worth about $292 million at current prices. The amount represents ~18% of rsETH’s circulating supply of ~630,000.
rsETH is a liquid restaking token built on EigenLayer and is deployed across more than 20 networks, including Base, Arbitrum, Linea, Blast, Mantle, and Scroll.
The attacker didn’t simply hold the stolen rsETH tokens. According to on-chain data, the tokens were deposited into Aave V3 as collateral to borrow large amounts of Ether and Wrapped Ether. The funds were routed back through Tornado Cash to obscure the trail.
That step turned a bridge exploit into a potential bad debt problem for Aave, one of DeFi’s largest lending platforms. Aave V3 could face up to $177 million in bad debt exposure as a result.
Blockchain investigator ZachXBT flagged the incident on Telegram within an hour. “KelpDAO appears to have had $280M+ stolen one hour ago on Ethereum and Arbitrum,” he wrote, confirming the hacker wallets were funded via Tornado Cash.
Kelp’s first public statement came on X, more than two and a half hours after the drain. “Earlier today we identified suspicious cross-chain activity involving rsETH,” the protocol wrote. “We have paused rsETH contracts across mainnet and several L2s while we investigate. We are working with LayerZero, Unichain, our auditors and top security experts on RCA.”
Aave froze all of rsETH markets on both Aave V3 and V4. The protocol confirmed on X that the vulnerability was in rsETH, not Aave’s own contracts. “We are reviewing information about rsETH borrows on Aave that occurred after the exploit and will share more details as soon as possible,” Aave wrote. The Aave team is also exploring ways to cover the losses.
Aave fell 10.65% on the day to $103.86. Ethereum dropped ~3% and currently trades at $2,358.24.
The attack on KeplerDAO also struck less than two weeks after a $286 million exploit of Drift Protocol, the largest crypto theft of 2026 so far. According to a Cryptopolitan report, the Drift Protocol hack is linked to the same group that stole $1.4 billion from Bybit.
KelpDAO now holds the second spot on the list of biggest crypto hacks in 2026.
