Liquid restaking protocol Kelp DAO and decentralized lending giant Aave have confirmed that the first phase of recovery from last month’s $292 million exploit is now complete, with rsETH operations expected to resume within days.
Kelp DAO announced on X on Tuesday that 117,132 rsETH, the exact amount drained by the attacker on April 18, will be progressively refilled from the Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on Ethereum mainnet over the next two weeks. The protocol said it expects to unpause withdrawals tentatively within 24 hours after the first tranche is deposited into the adapter.
“All rsETH operations, deposits, redemptions, bridging, and claims, will resume as usual after contracts are unpaused,” Kelp wrote, adding that rsETH on mainnet and Layer 2 networks remains fully backed at all times.
The announcement represents a major turning point in what has been the most disruptive DeFi security incident of 2026, one that triggered billions in withdrawals from lending markets, generated roughly $190 million in bad debt on Aave, and set off a legal dispute in a Manhattan federal court that remains unresolved.
Security hardening and migration to Chainlink
Before reopening operations, Kelp said it has completed a security hardening pass across all of its LayerZero bridging configurations. The changes, audited by blockchain security firm BailSec, include raising verification requirements to four independent attestors from the previous setup, increasing block confirmations from 42 to 64, and deprecating all Layer 2-to-Layer 2 bridging routes entirely.
These measures are intended to close the very vulnerability that enabled the April 18 attack. The exploit was carried out through a forged inbound message on Kelp’s LayerZero-powered cross-chain bridge, which tricked the system into releasing 116,500 rsETH on Ethereum without a corresponding burn on the source chain.
The attack was widely attributed to North Korea’s Lazarus Group, placing it alongside the 2022 Ronin Network and 2025 Bybit hacks in the state-sponsored hacking collective’s portfolio of large DeFi targets.
Beyond the immediate patches, Kelp has made clear that it views the LayerZero setup as fundamentally insufficient. The protocol announced earlier this month that it is migrating rsETH from LayerZero’s Omnichain Fungible Token standard to Chainlink’s Cross-Chain Interoperability Protocol (CCIP), becoming the first major protocol to leave LayerZero since the exploit.
The dispute between the two protocols over who bore responsibility for the vulnerable bridge configuration played out publicly for weeks. Kelp argued that LayerZero’s own team had approved the single-verifier setup across eight integration discussions over roughly 2.5 years and never flagged it as a security risk.
Data cited by Kelp from Dune Analytics showed that roughly 47% of active LayerZero applications were running an identical 1-of-1 verifier configuration at the time of the hack. A Crypto Times investigation had earlier noted that this exact vulnerability was flagged 15 months before the attack, yet no meaningful action was taken.Â
Cross-chain messaging protocol LayerZero eventually acknowledged that it made a mistake by allowing its own Decentralized Verifier Network to secure high-value transactions under that setup, reversing weeks of publicly attributing the failure to Kelp’s configuration choices. The fallout has since pushed nearly $2 billion in protocol assets toward Chainlink CCIP, with Solv Protocol also confirming its migration away from LayerZero.Â
Chainlink’s CCIP uses a fundamentally different architecture that requires at least 16 independent node operators to validate cross-chain transactions, rather than relying on a single verifier. The migration is already underway, with Kelp’s GitHub repository listing a new CCIP-based rsETH contract alongside the legacy LayerZero OFT contract.
Aave confirms liquidation of attacker’s positions
Separately, Aave confirmed that the first steps of its own rsETH recovery process are complete. The key action involved liquidating the exploiter’s remaining rsETH-backed lending positions on both Ethereum mainnet and Arbitrum, which the protocol described as one of the final on-chain steps needed before refilling operations could begin.
The liquidation required a governance process on Aave’s end, including a temporary manipulation of the rsETH oracle price to generate a deficit in the attacker’s fraudulent positions. Aave said all configuration changes made during the process would be fully reverted on completion, with no persistent changes to the protocol expected.
The recovered collateral was transferred to the Recovery Guardian, a designated multisig wallet managed by the DeFi United coalition. From there, the next phase involves burning the liquidated rsETH on Arbitrum and combining seized assets with ETH committed by coalition partners to restore full rsETH backing before markets are reopened.
“Progressively refilling the LayerZero OFT adapter and reopening rsETH operations will follow over the coming days,” Aave wrote.
DeFi United and the $300 million industry mobilization
The speed of the current recovery is largely a product of the unprecedented industry coordination that followed the attack. Within days of the April 18 exploit, Aave spearheaded the formation of DeFi United, a coalition that pulled together capital commitments from across the Ethereum ecosystem to close the rsETH backing gap and prevent cascading failures in interconnected lending markets.
The coalition’s contributor list reads like a who’s who of Ethereum infrastructure. Blockchain software giant Consensys and Ethereum co-founder Joseph Lubin committed 30,000 ETH, structured to provide immediate liquidity while governance processes at other protocols ran in parallel. Layer 2 blockchain Mantle extended a 30,000 ETH credit facility. The Aave DAO proposed a 25,000 ETH treasury contribution, with Aave founder Stani Kulechov adding a personal commitment of 5,000 ETH.
Other contributors included liquid staking protocol Lido (up to 2,500 stETH), restaking platform Ether.fi (5,000 ETH), LayerZero itself (5,000 ETH), and DeFi lending protocol Compound, which proposed up to 3,000 ETH. Smaller commitments came from the Golem Foundation, BGD Labs, and individual contributors. In total, DeFi United raised over $300 million in ETH commitments, enough to cover the full rsETH backing shortfall.
The legal dispute that remains unresolved
Even as the technical recovery advances, a legal complication continues to cast a shadow over the process. The Arbitrum Security Council, the emergency governance body for the Arbitrum Layer 2 network, had frozen approximately 30,766 ETH (roughly $72 million) connected to the attacker on April 20. Those funds were intended to form the single largest contribution to the DeFi United recovery effort.
On May 1, however, attorney Charles Gerstein of Gerstein Harrow LLP filed a restraining notice in the U.S. District Court for the Southern District of New York on behalf of families holding unpaid terrorism judgments against North Korea totaling more than $877 million. The plaintiffs argued that because the Lazarus Group carried out the exploit on behalf of the North Korean regime, the frozen ETH qualified as property of the DPRK and was therefore subject to seizure under existing terrorism restitution frameworks.
The restraining order blocked Arbitrum DAO from transferring the funds, even as a Snapshot vote showed overwhelming community support for releasing them to DeFi United.
Aave responded by filing an emergency motion to vacate the restraining notice, arguing that stolen property cannot legally belong to the thief and that the frozen ETH was owed to innocent Aave users, not to North Korea. The protocol warned that keeping the funds frozen could trigger cascading liquidations and set a precedent that would discourage future DeFi recovery efforts.
On May 9, Manhattan federal judge Margaret Garnett issued a modified order that allowed Arbitrum DAO to proceed with an on-chain governance vote to transfer the ETH to an Aave-controlled wallet, while explicitly shielding anyone who voted on or participated in the transfer from liability under the freeze. However, Judge Garnett left the terrorism creditors’ underlying claims on the assets intact, meaning the funds could potentially still be redirected to satisfy those judgments at a later stage.
The Arbitrum DAO approved the release with 182.2 million ARB tokens voting in favor, but the transfer remains subject to the broader legal proceedings. No timeline for a final divestiture hearing has been set.
What comes next
With the technical recovery now entering its final stretch and rsETH operations expected to resume shortly, the episode has already reshaped how the DeFi industry thinks about cross-chain security, crisis coordination, and the intersection of decentralized governance with traditional legal systems.
For Kelp, the immediate priority is completing the refill of the LayerZero OFT adapter, unpausing its smart contracts, and finalizing the migration to Chainlink CCIP. For Aave, the focus shifts to restoring all frozen rsETH and ETH markets across its deployments on Ethereum, Arbitrum, Base, Mantle, and Linea, and resolving the remaining bad debt tied to the exploit.
The broader question, whether the $72 million in Arbitrum-frozen ETH will ultimately reach DeFi United or be claimed by terrorism creditors, will likely take months to resolve in federal court. That outcome will set a precedent not just for this case, but for how recovered crypto assets are treated when state-sponsored actors are involved.
For now, though, the fact that rsETH is on the verge of resuming normal operations just under a month after the largest DeFi exploit of the year stands as evidence that the coordinated response worked. Whether the model that DeFi United built becomes a permanent fixture of the industry’s crisis infrastructure, as Kulechov has suggested it should, remains to be seen.
Also Read: Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack
