TL;DR:
- KelpDAO and Aave announced the resumption of operations with rsETH after completing the first steps of the post-exploit recovery plan.
- The April 18 attack, attributed to North Korea’s Lazarus Group, generated approximately $190 million in bad debt for Aave and $292 million in total losses.
- Around $72 million in ETH recovered on Arbitrum remains frozen under a court restriction.
KelpDAO and Aave confirmed they will resume operations linked to rsETH in the coming days, after completing the first phase of the recovery plan stemming from the $292 million exploit that took place on April 18.
KelpDAO Could Take Two Weeks to Reintroduce rsETH
According to the protocol’s announcement, 117,132 rsETH —equivalent to the amount stolen— will be gradually reintroduced from the Aave Recovery Guardian and the Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the next two weeks. Once the smart contracts are reactivated, rsETH deposits, redemptions, bridges, and claims are expected to become available again.
Kelp and Aave have successfully completed a series of steps for rsETH backing, including burning the exploiter’s rsETH on Arbitrum.
117,132 rsETH will be progressively refilled from Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the…
— Kelp (@KelpDAO) May 12, 2026
Aave, for its part, confirmed that the first steps of the plan were completed, including the burning of the attacker’s rsETH on Arbitrum. The April attack remains the largest DeFi security breach so far in 2026. The actor behind the exploit, widely linked to North Korea’s Lazarus Group, deposited a significant portion of the stolen rsETH as collateral on Aave to borrow WETH, generating approximately $190 million in bad debt for the protocol. This attack prompted the creation of DeFi United, a collective working group focused on restitution that raised more than $300 million in ETH to limit the damage across markets.
Legal Conflict on Arbitrum
The Arbitrum Security Council had frozen approximately $72 million in ETH belonging to the attacker on Arbitrum. However, the transfer of those tokens to the restitution fund was challenged by plaintiffs linked to prior terrorism judgments against North Korea, who sought to restrict the Arbitrum DAO from moving the recovered assets.
Aave LLC filed an emergency motion in federal court arguing that the order was based on unproven claims about the role of the Lazarus Group. The court ultimately allowed the transfer of ETH to Aave, although the protocol remains unable to sell or move those funds without judicial authorization.
Technical Changes to the Protocol
On the technical side, KelpDAO updated its LayerZero configuration to require four independent attestors, raised block confirmations from 42 to 64 and removed all L2-to-L2 routes. The protocol is also advancing its migration to Chainlink CCIP.
LayerZero acknowledged that allowing single-verifier configurations for high-value transfers created security vulnerabilities, an admission that could redefine how DeFi teams assess bridge design and default security standards in high-value protocols.
