TLDR
- Kelp DAO confirmed the hacker’s 117,132 rsETH tokens were burned on the Arbitrum network
- The stolen rsETH will be refilled over two weeks via Aave Recovery Guardian and Kelp Recovery Safe
- Kelp plans to unpause withdrawals within 24 hours of the first refill tranche
- Security upgrades now require four independent attestors and 64 block confirmations
- A US court allowed Arbitrum to transfer $72 million in recovered ETH to Aave, but Aave cannot yet sell or move the funds
Kelp DAO and Aave are moving to restore normal operations following the April 18 hack that saw roughly $292 million drained from Kelp’s rsETH bridge. The exploit remains the largest DeFi security breach of 2026.
Kelp and Aave have successfully completed a series of steps for rsETH backing, including burning the exploiter’s rsETH on Arbitrum.
117,132 rsETH will be progressively refilled from Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the…
— Kelp (@KelpDAO) May 12, 2026
The attack was widely attributed to North Korea’s Lazarus Group. The group targeted Kelp’s LayerZero bridge adapter, which handles the minting, locking, and releasing of rsETH across different blockchain networks.
After the attack, the exploiter moved a large portion of the stolen rsETH to Aave as collateral to borrow wrapped Ether. That left Aave facing about $190 million in bad debt.
In response, Aave led an industry recovery effort called DeFi United. The initiative raised over $300 million in ETH to help cover losses and prevent wider damage to the DeFi sector.
On Tuesday, both Kelp and Aave confirmed the first steps of the recovery plan are complete. The exploiter’s 117,132 rsETH tokens — currently worth around $278 million — have been burned on Arbitrum.
Withdrawals Expected to Resume Within Days
Kelp said it will unpause withdrawals tentatively within 24 hours of the first tranche being returned to the LayerZero OFT adapter smart contract. Full operations, including deposits, redemptions, bridging, and claims, are expected to follow.
The stolen amount will be refilled progressively over two weeks using funds from the Aave Recovery Guardian and Kelp’s own recovery wallet.
Kelp also completed a security update to its bridging setup. Verification now requires four independent attestors instead of the previous single-attestor setup. Block confirmations were raised from 42 to 64, and all layer-2 to layer-2 routes have been deprecated.
The protocol is also migrating from LayerZero to Chainlink’s Cross-Chain Interoperability Protocol for cross-chain transfers.
LayerZero Apologizes for Its Role in the Breach
LayerZero has issued a public apology for its part in the exploit. The company initially blamed Kelp for using a 1-of-1 DVN configuration, which it said went against its recommendations. Kelp countered that this setup was the default on LayerZero-powered apps.
LayerZero later acknowledged it made a mistake by allowing that configuration for high-value transactions.
Meanwhile, the Arbitrum Security Council froze around $72 million worth of the attacker’s ETH on Arbitrum. The Arbitrum DAO approved transferring those funds to the restitution initiative.
That transfer hit a legal snag in early May when plaintiffs from older terrorism judgments against North Korea filed a court order blocking the move.
Aave LLC responded with an emergency motion in federal court, arguing the restraining order was based on unproven speculation.
The court sided with Aave, allowing Arbitrum to transfer the ETH. However, Aave remains barred from selling or moving the funds pending further court approval.
Kelp’s total value locked stood at around $1.55 billion as of this week, down from an all-time high of just over $2 billion in September 2025.
Ether was trading at around $2,260 on Tuesday, a 12-day low, down roughly 1% on the day.
