What Is Kelp DAO Reopening After the Exploit?
Kelp DAO and Aave said they will restart rsETH-related operations in the coming days after completing the first recovery steps tied to last month’s $292 million exploit.
Kelp said 117,132 rsETH, equal to the amount stolen on April 18, will be gradually refilled from the Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the next 2 weeks.
“Kelp will unpause withdrawals, tentatively within 24 hours, after the first tranche to the LayerZero OFT adapter,” Kelp said.
Once smart contracts are unpaused, rsETH deposits, redemptions, bridging, and claims are expected to resume. Aave also confirmed that the first steps of the recovery plan are complete, including burning the exploiter’s rsETH on Arbitrum.
How Did the Exploit Affect Aave?
The April 18 attack remains the largest DeFi security breach of 2026. The attacker, widely linked to North Korea’s Lazarus Group, moved a large share of the stolen rsETH to Aave as collateral for WETH, creating about $190 million in bad debt for the protocol.
That exposure pushed Aave into a wider restitution effort known as DeFi United, which raised more than $300 million in ETH to limit further damage across DeFi markets.
The case also placed rsETH recovery at the center of a broader industry response involving Aave, Kelp DAO, Arbitrum, LayerZero, and affected market participants.
Investor Takeaway
Why Are the Arbitrum Funds Still Legally Sensitive?
The Arbitrum Security Council previously froze about $72 million worth of the attacker’s ETH on Arbitrum and proposed transferring the funds to the restitution effort.
The transfer was later challenged after plaintiffs from older terrorism judgments against North Korea filed an order seeking to restrict Arbitrum DAO from moving the recovered ETH.
Aave LLC filed an emergency motion in federal court, arguing that the order relied on unproven claims about Lazarus Group’s role in the Kelp DAO exploit. The court later allowed Arbitrum to transfer ETH to Aave, though Aave remains barred from selling or moving the funds without court approval.
Investor Takeaway
What Security Changes Followed the Attack?
Kelp said it has updated LayerZero bridging settings by requiring 4 independent attestors, raising block confirmations from 42 to 64, and ending all L2-to-L2 routes.
The protocol is also migrating from LayerZero to Chainlink’s CCIP, as previously announced.
LayerZero has apologized for its handling of the incident after initially blaming Kelp DAO for using a 1-of-1 DVN setup. Kelp argued that the single-verifier structure was the default configuration in LayerZero-powered apps.
LayerZero later acknowledged that allowing 1-of-1 DVN configurations for high-value transfers created security risks. The admission may weigh on how DeFi teams assess bridge design, verifier requirements, and default security settings for large-value protocols.
