Kelp DAO and Aave Set to Resume rsETH as Refill Plan Begins After $292M Exploit

Image Credit: aave.com

Kelp DAO and Aave said they will resume rsETH-related operations in the coming days after completing the first recovery steps following the April 18 exploit. The company said it will begin refilling the 117,132 rsETH stolen in the attack and plans to unpause withdrawals within 24 hours of the first tranche reaching the LayerZero OFT adapter on mainnet.

Kelp Begins Two-Week Refill to Replace 117,132 Stolen rsETH

On Tuesday Kelp said that 117,132 rsETH, the full amount taken in the April 18 attack, will be progressively refilled from the Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the next two weeks.

“Kelp will unpause withdrawals, tentatively within 24 hours, after the first tranche to the LayerZero OFT adapter,” Kelp said on X.

All rsETH operations, including deposits, redemptions, bridging, and claims, will resume once smart contracts are unpaused. Kelp also said it has completed a security overhaul of its LayerZero bridging configurations. Verification now requires four independent attestors, up from the single-verifier setup that was exploited.

Block confirmations have been raised from 42 to 64. All Layer 2-to-Layer 2 routes have been deprecated. Kelp added that it is migrating from LayerZero to Chainlink’s CCIP for cross-chain messaging.

Aave Confirms First Recovery Steps Are Complete

Aave confirmed separately that the initial phase of the rsETH recovery plan is done, including burning the exploiter’s rsETH on Arbitrum.

“Progressively refilling the LayerZero OFT adapter and reopening rsETH operations will follow over the coming days,” Aave wrote.

The exploit created roughly $190 million in bad debt on Aave after the attacker used stolen rsETH as collateral to borrow WETH from the lending protocol. Aave led the formation of DeFi United, an industry coalition that raised more than $300 million in ETH to backstop the losses and prevent broader contagion across the DeFi sector.

Court Allows $72M Frozen ETH Transfer to Aave, But Funds Stay Locked

The Arbitrum Security Council had frozen approximately $72 million in ETH tied to the attacker on Arbitrum shortly after the exploit. The Arbitrum DAO approved a proposal to transfer those funds to the restitution effort.

That transfer was blocked on May 1 when plaintiffs holding terrorism judgments against North Korea filed a restraining order seeking to claim the frozen ETH as restitution. The plaintiffs argued the exploit was carried out by North Korea’s Lazarus Group and that the recovered funds qualify as seizable North Korean state property.

Aave LLC filed an emergency motion to challenge the order. The court has since allowed Arbitrum to transfer the ETH to Aave, though Aave remains barred from selling or moving the funds until the court grants further approval. The underlying ownership dispute between exploit victims and the terrorism-judgment creditors is still being litigated.

LayerZero Backs Away From 1-of-1 DVN Configurations After Exploit

LayerZero has issued a public apology for its role in the exploit. The cross-chain protocol initially placed blame on Kelp DAO for running a 1-of-1 decentralized verifier network configuration against LayerZero’s recommendations. Kelp countered that the single-verifier setup was the default configuration on LayerZero-powered applications.

LayerZero has since acknowledged that allowing 1-of-1 DVN configurations for high-value transactions was a mistake that unknowingly created security risks. The protocol announced after the exploit that it would no longer sign messages for any application running a single-verifier setup.