Hackers target DeFi protocol Kelp DAO in large $300m exploit

Summary

Security experts have flagged an apparent nearly $300 million exploit of Kelp DAO. - The $293.7 million in rsETH was drained from the protocol. - The DeFi community is still reeling from other recent exploits. That’s what appears to be the case after blockchain security experts on Saturday flagged nearly $300 million leaving Ethereum-based Kelp DAO. First alerted by blockchain sleuth ZachXBT via his Telegram channel, a total of $293.7 million was drained from the protocol’s rsETH adapter, a tool allowing users to deposit liquid staking tokens and get rsETH in return. Kelp DAO wrote on X that it had “identified suspicious cross-chain activity involving rsETH” and that it had paused rsETH contracts while it investigated the situation with security experts. Security firm Cyvers confirmed the hack to DL News, and said the funds had been swapped back to Ethereum and Arbitrum. It added that the attacker received funding from coin-mixer Tornado Cash to pay gas fees.

Stani Kulechov, Aave’s founder & CEO, wrote on X that “the asset does not have any borrowing power” and that Aave v3 and v4 have no exposure to rsETH. The price of Aave’s native AAVE token was down 10% over the past 24 hours, according to CoinGecko. Saturday’s attack comes as hackers seemingly step up their attacks on DeFi protocols. Cybercriminals hit Solana-based Drift Protocol on April 1, making away with $295 million. But they only managed to get away with $237,000 due to liquidity issues. Mathew Di Salvo is a news correspondent with DL News.