Aave and KelpDAO have launched a coordinated recovery plan worth nearly $278 million after completing the burn of fraudulently minted rsETH tokens tied to last month’s major DeFi exploit.
Key Takeaways
- Aave and KelpDAO burned 117,132 unbacked rsETH tokens on Arbitrum.
- The protocols have started refilling the LayerZero OFT adapter with nearly $278 million in assets.
- ETH withdrawals for affected users are expected to resume within 24 hours.
- KelpDAO is upgrading bridge security and migrating to Chainlink CCIP infrastructure.
What Happened?
Aave and KelpDAO have entered the final recovery phase following the April 2026 exploit that shook the decentralized finance industry and temporarily disrupted billions in liquidity across protocols.
The recovery effort includes burning the attacker’s rsETH tokens on Arbitrum and progressively restoring full backing for the liquid restaking token over the next two weeks. The move is expected to allow ETH withdrawals to reopen for affected users within the next 24 hours.
Kelp and Aave have successfully completed a series of steps for rsETH backing, including burning the exploiter’s rsETH on Arbitrum.
— Kelp (@KelpDAO) May 12, 2026
117,132 rsETH will be progressively refilled from Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the…
A Coordinated Recovery Effort Begins
KelpDAO confirmed that 117,132 rsETH tokens tied to the exploit have now been burned on Arbitrum. At current market prices, the recovered assets are worth approximately $278 million.
The refill process is being carried out using funds from the Aave Recovery Guardian multisig and KelpDAO’s recovery safe. Both entities are routing funds back into the LayerZero OFT adapter on Ethereum mainnet, which handles the locking, minting, burning, and release of rsETH during cross chain transfers.
KelpDAO stated that rsETH remains fully backed throughout the recovery process. Once the first tranche reaches the smart contract adapter, withdrawals are expected to resume within 24 hours. Deposits, redemptions, bridging, and claims will also gradually return to normal operations after contracts are reactivated.
The exploit originally took place on April 18, when attackers targeted KelpDAO’s LayerZero bridge configuration. According to details shared by the protocol, the bridge relied on a single verifier DVN setup, allowing attackers to compromise RPC nodes and feed fraudulent data into the system.
As a result, attackers minted roughly $292 million worth of unbacked rsETH tokens. A significant portion of those assets, approximately 89,500 rsETH, was deposited into Aave V3 as collateral to borrow wrapped ETH.
The exploit left Aave exposed to more than $190 million in undercollateralized positions and triggered sharp concerns across the DeFi market.
Aave and Arbitrum Moved Quickly
Following the exploit, Aave governance rapidly froze rsETH markets on Ethereum and Arbitrum to contain the damage. The Arbitrum Security Council also froze more than 30,000 ETH linked to the attack.
The incident caused rsETH to lose its peg and triggered temporary outflows exceeding $7 billion across decentralized finance platforms.
Recovery efforts intensified on May 6 when the attacker’s eight Aave V3 positions were liquidated across Ethereum and Arbitrum. The latest token burn marks another major milestone in restoring the integrity of rsETH supply.
The situation became even more complicated after a U.S. law firm filed a restraining notice claiming part of the recovered ETH could be tied to North Korea’s Lazarus Group. A federal judge later cleared the transfer of approximately $71 million in ETH back to Aave, allowing the recovery process to continue.
Blockchain security firm OpenZeppelin previously noted that no direct smart contract bug had been publicly identified, describing the exploit instead as an operational failure tied to bridge configuration and security assumptions.
KelpDAO Strengthens Security Infrastructure
KelpDAO has now completed what it described as a “security hardening pass” following the exploit.
The protocol said bridge verification now requires four independent attestors instead of a single verifier. It has also increased required block confirmations from 42 to 64 and deprecated certain layer 2 bridge routes.
In addition, KelpDAO confirmed it is migrating toward Chainlink CCIP infrastructure to improve cross chain security and reduce future bridge risks.
Aave founder Stani Kulechov acknowledged the pressure of the recovery process, saying the past several weeks had been “incredibly intense” for teams involved in restoring the ecosystem.
CoinLaw’s Takeaway
I think this recovery effort will become one of the defining case studies for DeFi security in 2026. The exploit exposed how dangerous weak bridge verification systems can become when billions in liquidity depend on them. In my experience, the industry often focuses heavily on smart contract audits while underestimating operational risks surrounding validators, messaging systems, and bridge infrastructure.
What stands out here is how quickly multiple protocols coordinated under pressure. Aave, KelpDAO, Arbitrum governance, legal teams, and recovery groups all worked together to contain losses and restore confidence. I found the move toward multi attestor security and Chainlink CCIP particularly important because it shows the industry is finally treating bridge security as critical infrastructure rather than an afterthought.
