Tornado Cash-funded wallet steals 116,500 rsETH from KelpDAO in a major exploit that removed about $292 million from the protocol.
The attacker executed the transaction after funding the wallet and waiting roughly ten hours, allowing the operation to go unnoticed until after completion.
The incident quickly escalated into one of the largest crypto breaches of 2026, with further losses narrowly avoided.
Attack execution and rapid drain
The attacker began by funding a wallet through Tornado Cash using its 1 ETH pool, a common method used to obscure transaction origins.
After the waiting period, the wallet interacted with LayerZero’s EndpointV2 contract by calling the lzReceive function.
This triggered KelpDAO’s OFT bridge to release 116,500 rsETH to an address controlled by the attacker.
The transfer was completed in a single transaction, leaving little time for intervention. By the time the suspicious activity was identified, the funds had already been moved.
The scale of the exploit represents nearly 18 percent of the circulating supply of rsETH, which stands at around 630,000 tokens.
Failed attempts and emergency response
Following the initial success, the attacker attempted to execute two more transactions targeting an additional 80,000 rsETH, valued at about $100 million.
Both attempts failed due to a timely intervention by KelpDAO. The protocol’s emergency pauser multisig executed a pauseAll function, which halted key components, including the LRT Deposit Pool, Withdrawal contract, LRT Oracle, and the rsETH token itself.
The timeline shows how narrow the response window was. The pause occurred 46 minutes after the initial exploit, while the subsequent attack attempts were made just five minutes later.
If those transactions had succeeded, total losses could have reached approximately $391 million.
KelpDAO issued its first public statement more than two hours after the incident, confirming suspicious cross-chain activity involving rsETH.
The team stated that contracts across mainnet and several layer two networks were paused while investigations continued, and added that it was working with partners and security experts.
Aave exposure and market impact
The attacker did not hold the stolen tokens. Instead, the rsETH was deposited into Aave V3 as collateral, enabling the borrowing of large amounts of Ether and Wrapped Ether.
These borrowed funds were then routed back through Tornado Cash, further complicating tracking efforts.
This move created a potential bad debt issue for Aave, with exposure estimated at up to $177 million. In response, Aave froze all rsETH markets across its V3 and V4 platforms.
The protocol clarified that the vulnerability originated from rsETH rather than its own infrastructure and stated that it was reviewing the situation while exploring options to mitigate losses.
The broader market reacted quickly. Aave’s token declined by more than 10% to $103.86, while Ethereum fell around 3% to $2,358.
The incident follows closely behind another major exploit involving Drift Protocol, highlighting continued vulnerabilities across decentralized finance platforms.
Blockchain investigator ZachXBT flagged the breach within an hour, pointing to Tornado Cash as the funding source.
With the scale of the loss, KelpDAO now ranks among the most significant crypto hacks recorded this year.
