The Biggest DeFi Exploit of 2026: $293 Million Drained from KelpDAO

19 April 2026 | 08:04

On April 18, 2026, the decentralized finance (DeFi) sector suffered its most devastating blow of the year. A targeted exploit of KelpDAO’s LayerZero-powered cross-chain bridge resulted in the theft of approximately 116,500 rsETH, valued at nearly $293 million. The speed and scale of the attack have sent shockwaves through the ecosystem, leaving major lending protocols like Aave to manage the collateral damage.

Key Takeaways:

The Heist: $293M in rsETH drained in just 46 minutes on April 18.
The Method: A minting logic flaw allowed the attacker to create unbacked tokens, which were then used as collateral on Aave.
Aave's Bad Debt: The protocol is carrying $177M–$196M in bad debt; depositors may face "haircuts" on their WETH.
Market Panic: AAVE token dropped 14%; rsETH trading volume surged by 100,000% during the sell-off.
Year-to-Date Losses: Total DeFi losses for 2026 have already surpassed $450 million.
Contagion Control: SparkLend, Fluid, and Upshift have frozen all rsETH markets.

Anatomy of a 46-Minute Drain

The attacker, whose initial funding was traced to Tornado Cash, exploited a critical vulnerability in rsETH’s minting logic. By bypassing collateral requirements, the attacker was able to "print" rsETH out of thin air. These unbacked tokens were immediately deposited into Aave V3 and V4 as collateral to borrow massive amounts of wrapped ether (WETH).

KelpDAO’s emergency "pauseAll" function was triggered 46 minutes into the attack. While this successfully blocked two subsequent attempts to drain an additional $100 million, the initial $293 million had already been successfully moved, leaving the protocol largely hollowed out.

The Aave Fallout and "Haircut" Warnings

Aave is currently the hardest-hit secondary victim. Because the attacker’s collateral was unbacked, the borrowed WETH is now classified as bad debt, estimated at up to $196 million.

The protocol’s Umbrella safety module, which holds about $50 million, is expected to be activated, but it will not be enough to cover the full deficit. As a result, WETH suppliers have been warned that they may face a "haircut"—a proportional loss on their deposits—to absorb the remainder of the bad debt. This rare move has sparked intense debate over the safety of using complex Liquid Restaking Tokens (LRTs) as collateral.

A Brutal Year for DeFi Security

The KelpDAO incident is the pinnacle of a disastrous start to 2026. Cumulative sector losses have now reached nearly $482 million across 45 protocols. Notable breaches this year include:

Drift Protocol (April 1): $285M lost via social engineering of Security Council members.
Resolv Labs (March): $80M minted in unbacked stablecoins through a function flaw.
Step Finance (February): $27M–$40M lost to a private key compromise.
Truebit (January): $26M lost to an integer overflow vulnerability.

The Shift to Infrastructure Attacks

The data from early 2026 reveals a tactical shift among hackers. Pure smart contract exploits are being overtaken by infrastructure-level attacks, which now account for 76% of total losses.

These vectors include private key theft, social engineering, and supply chain attacks (such as the recent Axios npm malware). Additionally, AI-assisted phishing has surged by 500% compared to 2025, allowing attackers to scale fraudulent outreach with terrifying efficiency.

The Path Ahead: For KelpDAO and Aave, the immediate future is defined by recovery plans and debt absorption. Whether rsETH can regain its peg—or its reputation—depends entirely on the transparency and success of the upcoming recapitalization efforts.