Aave Labs has published its formal post-mortem on the April 18 Kelp DAO bridge exploit, confirming that all rsETH backing has been restored, WETH markets are operating normally, and Aave V3 is fully operational across every affected deployment. But one piece of the recovery remains unresolved: the $71 million in immobilized ETH that became the subject of a federal restraining notice in early May.
The post-mortem, published on Aave’s governance channels, lays out the technical timeline of the exploit, the coordinated DeFi United recovery effort that grew to roughly $300 million in commitments, and the structural risk changes Aave has implemented since. It also acknowledges that the legal proceedings tied to the recovery have not concluded.
What’s Been Restored
The technical recovery is complete. According to the post-mortem, the exploiter’s rsETH on Arbitrum has been burned, the LayerZero OFT adapter has been fully refilled across five tranches, and Kelp has reopened rsETH withdrawals, bridging, and claims.
The final tranche of 20,373.72 rsETH was transferred into the LayerZero OFT adapter on May 26, completing a total of 116,131.72 rsETH deposited across five tranches. WETH LTV across affected markets was reset to pre-exploit values, and outside of rsETH, Aave V3 is fully operational across all markets.
The recovery was orchestrated through the DeFi United coalition, which brought together contributors including Lido, EtherFi Foundation, Ethena, Mantle, Ink Foundation, Golem Foundation, Compound, LayerZero, Aave DAO, and Consensys, along with strategic advisory input from Joseph Lubin and Sharplink. By April 25, the recovery fund had grown to over $160 million in commitments, and it currently stands at around $300 million, subject to final agreements and execution.
The $71M Court Battle That Hasn’t Ended
The unresolved piece is the federal restraining notice. On May 1, judgment creditors in an unrelated federal matter served a restraining notice on Arbitrum DAO seeking to seize approximately $71 million in ETH that had been immobilized from the exploit and was pending return to affected users. The funds — 30,765.67 ETH — had been frozen by the Arbitrum Security Council on April 21 as part of the containment effort.
On May 4, Aave LLC filed an emergency motion to vacate the restraining notice, arguing that the immobilized ETH represented user funds temporarily taken during the exploit and later recovered and rejecting the idea that a hacker gains lawful ownership of assets simply by moving them on-chain.
On May 8, the court modified the restraining notice to permit an onchain Arbitrum governance vote and transfer of the immobilized ETH to Aave LLC, with the restraining notice attaching to Aave LLC upon transfer. The amended Constitutional AIP on Arbitrum has since passed and is pending onchain execution. Upon execution, 30,765.667501709008927568 ETH will transfer from the Security Council’s immobilized address to an Aave LLC-controlled address per the court order.
But the substantive merits of the restraining notice itself remain under consideration by the court. Aave LLC said it will continue to comply with the restraining notice while the court deliberates.
The case has broader implications for DeFi. The federal court ruling on whether the $71 million in Arbitrum-frozen ETH ultimately reaches DeFi United or is claimed by terrorism creditors will likely set precedent for how recovered crypto assets are treated when state-sponsored actors are involved.
Sweeping Risk Architecture Overhaul
Beyond the recovery itself, Aave has used the incident to push through one of the most extensive risk overhauls in its history.
Since the exploit, Risk Stewards have executed approximately 295 individual parameter changes across Aave V3 reserves. The bulk — 234 cap writes covering 168 supply cap reductions and 66 borrow cap reductions — was executed in a single risk-off round on April 23. Active reserves with non-trivial usage had caps reduced to roughly 1.2 to 1.3 times current deposits, while unused reserves had caps set to 1 to soft-freeze the reserve.
On May 28, Aave Labs posted a new Technical Asset Listing Framework to the governance forum, formalizing the technical baseline for new listings, continued listings, and material parameter expansion on Aave V3, V4, and Horizon. A Bridge Assessment Framework and a Non-technical Asset Listing Framework are expected in the coming weeks, with LlamaRisk separately publishing a new Risk Framework for analyzing assets.
Under the forthcoming LlamaRisk framework, a new system will automatically lower an asset’s LTV to zero as soon as risk thresholds for that collateral are met—a direct response to the contagion dynamics observed during the Kelp incident.
Aave Labs also confirmed that bug bounty program rewards have been increased fivefold, and operational security standards across Aave Labs and service provider operations have been tightened in response to the growing number of non-smart contract exploits.
V4 Migration Accelerates
The post-mortem makes clear that Aave V4 use will expand alongside continued operation of V3. V4’s dual-layer Hub and Spoke isolation architecture is being positioned as the structural answer to contagion risk: each Hub holds its own collateral set under its own risk configuration, while each Spoke holds an isolated position within a Hub and shares liquidity back only up to a capped amount.
During the recovery period, V4 demonstrated this isolation in practice. According to the post-mortem, V4 deposits grew from $30.8 million to $59.23 million during the recovery window, while active loans grew from $12.4 million to $20.69 million. Separate data from May 29 showed Aave V4 TVL surging 150% over 30 days, with deposits unaffected by the V3 stress.
GHO, Aave’s stablecoin, also held through the incident. Its peg bottomed at $0.9988 on April 20 — a 12.5 basis point discount—before drifting back toward parity. The GSMs absorbed the shock as designed, with USDT inventory fully drawn within roughly 19 hours and USDC inventory down approximately $33 million over the following week. Both have since begun to refill.
What’s Still Pending
The post-mortem lists several items still underway: the Aave Risk Framework from LlamaRisk, the Bridge Assessment Framework, the publication of currently listed asset reviews, on-chain execution of the Arbitrum DAO vote, and the pending court consideration of the restraining notice.
The Aave DAO balance sheet and active service providers remain in place to carry the remediation work forward. For users, the practical signal is that the protocol is operating normally again. For the broader DeFi ecosystem, the unresolved court case is the part of the Kelp recovery story still worth watching—because how it ends will shape how future DeFi recovery funds are treated when they intersect with U.S. federal litigation.
