Kelp DAO, Aave to resume rsETH operations as recovery from $292 million exploit progresses

Kelp DAO and Aave are expected to resume rsETH operations in the coming days after initial recovery steps following a major exploit that resulted in $292 million being stolen on April 18.

Background: April 18 exploit and rsETH exposure

The April 18 attack on Kelp remains the largest DeFi security breach of 2026. The attacker was widely identified as North Korea’s Lazarus Group.

Soon after the exploit, the attacker moved a significant portion of the stolen rsETH to Aave as collateral for WETH. This created approximately $190 million in bad debt for the Aave protocol.

Restitution efforts and funding

In response, Aave led an industry-wide restitution initiative called DeFi United. The initiative raised over $300 million in ETH, which was described as sufficient to mitigate further impact on the broader DeFi sector.

Earlier, the Arbitrum Security Council secured a large portion of the stolen funds by freezing about $72 million worth of the attacker’s ETH on Arbitrum. The council also proposed transferring those funds to DeFi United.

Arbitrum transfer delay and court action

On May 1, multiple plaintiffs from separate years-old terrorism judgments against North Korea filed an order restricting Arbitrum DAO from moving the recovered funds as they sought to claim the frozen ETH as restitution.

Although Arbitrum DAO approved the transfer proposal last week, the restraining order left the approximately $72 million transfer in limbo.

In response, Aave LLC filed an emergency motion in federal court to challenge the ruling. Aave argued the order was based on unproven speculation that Lazarus carried out the Kelp DAO exploit.

Following the motion, the court allowed Arbitrum to transfer ETH to Aave. However, Aave will still be barred from selling or moving the funds until court approval is granted.

LayerZero acknowledges issues in its setup

Separately, LayerZero issued a public apology regarding its handling of the situation. Initially, LayerZero blamed Kelp DAO for using a 1-of-1 DVN setup against its recommendations, while Kelp said the single-point setup was the default on LayerZero-powered applications.

LayerZero later acknowledged it made a mistake by allowing 1-of-1 DVN configurations for high-value transactions, which it said unknowingly created security risks.