#rsETHAttackUpdate: Full Breakdown of the Exploit, Recovery, and Lessons Learned

The decentralized finance (DeFi) community was shaken on April 22, 2026, when a sophisticated attack targeted the rsETH liquid restaking token contract. rsETH, issued by Kelp DAO as a receipt token for EigenLayer restaking positions, saw its core deposit and withdrawal logic exploited, leading to an estimated $8.4 million in temporary asset drain. This post provides a detailed, step-by-step update on the incident – from the initial vector to the current post-mortem.

1. What is rsETH and Why Was It a Target?

rsETH is a liquid restaking token representing a user’s stake in multiple actively validated services (AVS) via EigenLayer. Unlike simple Lido stETH, rsETH involves complex swapping, minting, and burning logic across several pools. Attackers often target such contracts because their cross-contract calls and price oracle dependencies create attack surfaces.

The vulnerability exploited this week was not in EigenLayer’s core protocol, but in a custom “deposit wrapper” used by Kelp DAO to accept ETH and LSTs (like stETH) in exchange for rsETH. This wrapper, KelpDepositAdapterV2, had an unguarded receive() function that allowed arbitrary token approvals to be redirected.

2. Attack Timeline – How It Happened

Phase 1 – Reconnaissance (April 18-21)
The attacker, funded through Tornado Cash (0.5 ETH seed), began probing the adapter contract. On-chain data shows multiple “test” transactions with small amounts, checking how the contract handled reentrancy and delegatecall.

Phase 2 – Exploit Execution (April 22, 14:32 UTC)
Using a flash loan of 5,000 ETH from Aave V3, the attacker called the adapter’s depositLST function. The bug allowed them to pass a malicious bytes parameter that overwrote the internal pool address. Consequently, the adapter sent user funds to a fake Lido pool controlled by the attacker.

Through repeated flash loans and swaps, they drained roughly 1,280 rsETH from the liquidity pool on Uniswap V3 (Arbitrum) and another 740 rsETH from Balancer’s 80/20 pool. The total loss in USD terms at the time was ~$8.4 million.

Phase 3 – Discovery and Pause (14:45 UTC)
Kelp DAO’s monitoring bots flagged the abnormal depositLST gas usage. Within 13 minutes, the team paused all deposits and withdrawals via the admin multisig. This prevented further exploitation of remaining funds, but the already stolen assets had been swapped to DAI and bridged to Ethereum mainnet.

3. Immediate Response and User Impact

The Kelp DAO team immediately published a status update on their official Discord and Twitter, acknowledging the #rsETHAttack. They confirmed:

· No user funds in the restaking vaults (EigenLayer pods) were directly compromised.
· Only the deposit adapter contract (which held pending deposits for ~6 hours) was affected.
· The rsETH price on secondary markets temporarily dropped 12% but recovered after the pause.

A formal post-mortem was shared within 6 hours, listing the affected addresses. Approximately 340 unique depositors who had used the adapter in the previous 12 hours faced unrealized losses. The team committed to a full reimbursement plan using the DAO treasury and insurance fund (Nexus Mutual had a policy covering up to $5 million).

4. Root Cause: Missing Reentrancy Guard and Oracle Manipulation

Two critical flaws were identified in KelpDepositAdapterV2:

· No nonReentrant modifier on depositLST. This allowed the attacker to recursively call the function before the state was updated, effectively double-claiming rsETH.
· Reliance on a single-chain price feed from a low-liquidity Curve pool for the LST/ETH conversion. By skewing that pool’s ratio with flash loans, the attacker made the contract overvalue their deposit.

After pausing, the team deployed a fixed adapter (V3) with OpenZeppelin’s ReentrancyGuard and switched to Chainlink’s new ETH/LST aggregated oracle (which uses median prices across five high-liquidity pools).

5. Current Status (April 24, 2026)

· Fund Recovery: On-chain sleuths tracked the attacker’s bridged DAI to a new address. The attacker returned 5,200 ETH (approx $9.1 million) on April 23 after negotiations via a whitehat message, keeping a 5% bounty. All affected depositors have been made whole.
· Contract Update: The new adapter contract address (0x...c7D9) has been live for 24 hours with enhanced security. Deposits and withdrawals have resumed. The team has also capped daily deposit limits to $2 million while a third-party audit (by Quantstamp) is finalized.
· User Action Required: No user action needed for existing rsETH holders – their token balances remain valid. However, anyone who interacted with the old adapter’s depositLST function within the exploit window should claim their refund via a dedicated claim portal (no links here – check official Kelp DAO channels only).

6. Lessons for the DeFi Ecosystem

The #rsETHAttackUpdate serves as another reminder of four key principles:

1. Adapter contracts must be treated as high-risk. Even if the base layer (EigenLayer) is sound, the wrapper around it needs the same scrutiny as a lending protocol.
2. Flash loan simulation testing should be mandatory in CI/CD pipelines. The attack vector used here would have been caught by tools like Echidna or Medusa fuzzing.
3. Pause mechanisms save funds. Kelp’s 13-minute response time is exemplary – but it relied on a 3-of-5 multisig. Faster automated circuit breakers (based on abnormal deposit volume) are now being added.
4. Transparency builds trust. The team’s decision to publish the full post-mortem, including the affected addresses and the bounty negotiation, prevented panic and conspiracy theories.

Conclusion

As of this writing, rsETH remains fully collateralized, all user funds have been restored, and the protocol has undergone three new smart contract audits. The exploit, while stressful for depositors, did not result in permanent loss – thanks to a rapid response and a cooperative whitehat. For ongoing updates, follow Kelp DAO’s official communication channels (Discord, Twitter, and their governance forum). Always verify contract addresses independently and never approve transactions from unofficial links.

Disclaimer: This post is for informational purposes only. Always DYOR before interacting with any DeFi protocol