Kelp DAO, Aave to resume rsETH operations as recovery from $292 million exploit progresses

Kelp DAO and Aave announced that they will resume rsETH-related operations in the coming days after successful first recovery steps following the $292 million exploit last month.

On Tuesday, Kelp wrote on X that 117,132 rsETH, the amount stolen on April 18, will be progressively refilled from Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the next two weeks.

"Kelp will unpause withdrawals, tentatively within 24 hours, after the first tranche to the LayerZero OFT adapter," Kelp said, explaining that all rsETH operations — including deposits, redemptions, bridging, and claims — will resume as usual after smart contracts are unpaused.

Kelp also said that it has completed a security update across all LayerZero bridging configurations — changing verification to require four independent attestors, raising block confirmations from 42 to 64, and deprecating all L2-to-L2 routes.

The DeFi protocol added that it is currently in the process of migrating to Chainlink's CCIP from LayerZero, as announced earlier.

Meanwhile, Aave also confirmed that the first steps of the rsETH recovery plan are complete, including burning the exploiter's rsETH on Arbitrum.

"Progressively refilling the LayerZero OFT adapter and reopening rsETH operations will follow over the coming days," Aave wrote.

Restoration efforts

The April 18 attack on Kelp remains the largest DeFi security breach of 2026, with the attacker widely identified as North Korea's Lazarus Group. Soon after the attack, the exploiter moved a significant portion of the stolen rsETH to Aave as collateral for WETH, creating about $190 million in bad debt for the protocol. 

This prompted Aave to lead an industry-wide restitution initiative called DeFi United, which raised over $300 million in ETH (ETH) — enough to mitigate further impact on the DeFi sector. 

Earlier, the Arbitrum Security Council had secured a large chunk of stolen funds by freezing around $72 million worth of the attacker's ETH on Arbitrum and proposed transferring the funds to the restitution initiative. 

On May 1, however, multiple plaintiffs from separate years-old terrorism judgments against North Korea filed an order restricting Arbitrum DAO from moving the recovered funds as they sought to claim the frozen ETH as restitution. 

Although the Arbitrum DAO approved the proposal last week, the restraining order had left the $72 million transfer in limbo.

In response to the order, Aave LLC filed an emergency motion in federal court to challenge the ruling, arguing that it was based on unproven speculation that Lazarus carried out the Kelp DAO exploit.

As a result, the court allowed Arbitrum to transfer ETH to Aave, though Aave will still be barred from selling or moving the funds until court approval.

LayerZero takes responsibility

Amid Arbitrum and Aave's efforts to contain the fallout from the Kelp DAO exploit, LayerZero has recently issued a public apology for its handling of the situation.

Initially, LayerZero blamed Kelp DAO for using a 1-of-1 DVN setup against its recommendations, while Kelp argued that the single-point setup was the default on LayerZero-powered apps.

LayerZero acknowledged that it made a mistake by allowing 1-of-1 DVN configurations for high-value transactions and thereby unknowingly created security risks.