TLDR
- 117,132 rsETH tokens belonging to the attacker have been permanently burned on Arbitrum by Kelp DAO
- Replenishment of the drained rsETH will occur gradually across a two-week period through Aave Recovery Guardian and Kelp Recovery Safe
- Withdrawal functionality is scheduled to resume within 24 hours following the initial refill distribution
- Enhanced security protocols now mandate four separate attestors alongside 64 block confirmations
- Federal court authorization permits Arbitrum to send $72 million in reclaimed ETH to Aave, though restrictions prevent immediate liquidation or transfer
Kelp DAO and Aave have initiated the process to return to standard operations after the April 18 security breach that resulted in approximately $292 million being extracted from Kelp’s rsETH bridge infrastructure. This incident stands as 2026’s most significant DeFi security compromise to date.
[[EMBED_0]]
Security analysts broadly linked the assault to the Lazarus Group operating out of North Korea. The attackers exploited vulnerabilities in Kelp’s LayerZero bridge adapter, the component responsible for minting, securing, and distributing rsETH tokens across various blockchain ecosystems.
Following the breach, the perpetrator deposited substantial quantities of the compromised rsETH into Aave as collateral, subsequently borrowing wrapped Ether against it. This maneuver created approximately $190 million in uncollateralized debt for Aave.
To address the crisis, Aave spearheaded a coordinated industry response branded DeFi United. This collaborative effort successfully accumulated more than $300 million in ETH contributions aimed at offsetting losses and safeguarding the broader DeFi ecosystem from cascading failures.
On Tuesday, representatives from both Kelp and Aave announced the completion of initial recovery phase milestones. The attacker’s holdings of 117,132 rsETH tokens — presently valued at approximately $278 million — have been permanently removed from circulation on Arbitrum.
Withdrawal Functions Set to Resume Imminently
Kelp DAO indicated it plans to reactivate withdrawal capabilities provisionally within 24 hours after the initial distribution arrives at the LayerZero OFT adapter smart contract. Complete operational restoration, encompassing deposits, redemptions, cross-chain bridging, and reward claims, is anticipated shortly thereafter.
The restoration of stolen assets will proceed incrementally throughout a fourteen-day timeline, utilizing resources from both the Aave Recovery Guardian mechanism and Kelp’s dedicated recovery wallet.
Kelp has simultaneously implemented comprehensive security enhancements to its bridging infrastructure. The verification process now mandates approval from four independent attestors, replacing the former single-attestor framework. Block confirmation requirements have been elevated from 42 to 64, while all layer-2 to layer-2 transfer routes have been discontinued.
The protocol is additionally transitioning away from LayerZero toward Chainlink’s Cross-Chain Interoperability Protocol for future cross-chain asset movements.
LayerZero Issues Public Apology for Security Lapse
LayerZero has released a formal apology acknowledging its contribution to the security failure. The organization initially placed responsibility on Kelp for implementing a 1-of-1 DVN configuration, claiming this contradicted their published guidelines. Kelp refuted this assertion, noting that the configuration in question represented the standard default setting across LayerZero-integrated applications.
LayerZero subsequently admitted fault for permitting such a configuration on transactions involving substantial value.
Concurrently, the Arbitrum Security Council successfully froze approximately $72 million in ETH belonging to the attacker within the Arbitrum network. The Arbitrum DAO voted to authorize transferring these seized assets to the restitution program.
This transfer encountered legal complications in early May when claimants holding older terrorism-related judgments against North Korea obtained a judicial restraining order preventing the asset movement.
Aave LLC filed an urgent motion in federal court, contending the restraining order relied on unsubstantiated assumptions.
The court ruled in Aave’s favor, permitting Arbitrum to execute the ETH transfer. Nevertheless, Aave continues to face restrictions preventing the sale or relocation of these funds until additional court clearance is obtained.
Kelp’s total value locked measured approximately $1.55 billion this week, representing a decline from its peak of slightly above $2 billion recorded in September 2025.
Ether exchanged hands at roughly $2,260 on Tuesday, marking a 12-day low and reflecting approximately 1% downward movement for the trading session.
