DeFi protocols Aave and Kelp DAO burned an exploiter's rsETH holdings on the Arbitrum network on May 12, initiating a technical recovery plan for the $292 million exploit that occurred on April 18.
"The first set of steps in the rsETH technical recovery plan are complete, including burning the exploiter’s rsETH on Arbitrum," Aave said in a statement on X.
The recovery's next phase involves refilling 117,132 rsETH into the LayerZero OFT adapter on Ethereum's mainnet over a two-week period. This action follows the formation of DeFi United, a coalition that raised over $327 million in ETH commitments from entities including Lido, EtherFi, and LayerZero itself to ensure rsETH remains fully backed.
The successful burn and refill are critical to restoring the full 1:1 backing of rsETH and re-enabling all platform functions, including withdrawals, which Kelp DAO expects to resume within 24 hours of the first refill installment. However, the recovery is complicated by a U.S. court case involving 30,765 ETH frozen on Arbitrum, which claimants are attempting to seize in relation to a terrorism judgment against North Korea.
The April 18 breach saw an attacker exploit a vulnerability in Kelp's LayerZero-powered bridge, allowing the minting of unbacked rsETH. These tokens were then deposited as collateral on Aave to borrow approximately $190 million in WETH, leaving significant uncollateralized debt within the lending platform.
In response, the DeFi community rallied to form DeFi United to address the shortfall without socializing losses among users. The coalition's fundraising, combined with on-chain actions, aims to make all affected users whole. On May 9, a U.S. District Judge cleared the way for the Arbitrum Security Council to transfer roughly 30,765 ETH ($71 million) associated with the perpetrator to a wallet controlled by Aave, though the funds cannot be redistributed without further judicial authorization due to the ongoing litigation.
Kelp DAO also announced it has enhanced its bridge security by requiring verification from four separate attestors and eliminating direct Layer 2-to-Layer 2 transfer paths to reduce cross-chain vulnerabilities. The protocol is also transitioning its bridge operations from LayerZero to Chainlink's CCIP for increased security.
This article is for informational purposes only and does not constitute investment advice.