Following the massive KelpDAO bridge exploit that drained approximately $292 million worth of rsETH tokens, two major DeFi protocols are moving forward with recovery measures. Lido announced the imminent resumption of operations for its EarnETH vault, while Aave DAO voted to liquidate the hacker's frozen funds to compensate affected users.
The incident occurred when an attacker exploited a cross-chain bridge used by KelpDAO, resulting in the loss of 116,500 rsETH. Lido proactively suspended its EarnETH vault—which generates yield on ETH deposits through DeFi strategies—as a precaution to ensure no user funds were compromised. The vulnerability was isolated to the bridge, and Lido confirmed that the vault's smart contracts remained secure. Throughout the suspension, reward distributions to EarnETH depositors continued uninterrupted, preserving yield accrual.
With the vault set to resume full operations, Lido demonstrates a robust risk management approach. Meanwhile, Aave's governance process culminated in a decisive vote: over 90% of participants, representing 190 million ARB tokens across 1,600 addresses, approved the liquidation of wallets tied to the hacker. This freed 30,765.67 ETH previously held by the Arbitrum Security Council, which had intercepted part of the attacker's funds. The recovery plan, coordinated with KelpDAO, LayerZero, EtherFi, and Compound, aims to restore the ETH backing of rsETH and compensate all holders.
Aave founder Stani Kulechov stated that additional steps will address bad loans estimated between $170–$230 million on Arbitrum. The protocol's automatic liquidation mechanisms triggered when the hacker attempted further borrowing, mitigating potential losses. Aave's total value locked has stabilized above $15 billion after an initial outflow of $10 billion, with utilization rates normalizing in major vaults. However, overall lending activity remains subdued: total loans fell 35% over the past 30 days, and stablecoin liquidity dropped 46.3%.
In response to the exploit, KelpDAO announced plans to migrate its cross-chain infrastructure to Chainlink's CCIP, moving away from LayerZero's tools. The coordinated response highlights DeFi's growing maturity in handling security crises while underscoring persistent bridge risks.
