Kelp DAO has finalized the operational phase of its rsETH recovery plan, five weeks after a $293 million exploit disrupted the liquid staking protocol and sent shockwaves through decentralized finance markets. The exploit, linked to North Korea’s Lazarus Group on April 18, targeted Kelp DAO’s bridge infrastructure by forging a LayerZero packet, allowing attackers to drain 116,500 rsETH across chains and deposit it into lending markets, particularly Aave.
On May 25, Kelp DAO confirmed that the final tranche of 20,373.72 rsETH had been sent to the LayerZero OFT adapter, a smart contract responsible for locking, minting, burning, and releasing rsETH during cross-chain transfers. This step completes the operational recovery, following an initial tranche of 25,000 rsETH transferred on May 13 that resumed bridging between Ethereum mainnet and Layer 2 networks. Withdrawals were reopened on May 14. The protocol stated that rsETH minting, redemptions, and rewards are now running normally, with the token’s backing fully restored. Over two weeks, approximately 116,000 rsETH was refilled into the adapter through contributions from Aave and Kelp, partly via the DeFi United recovery initiative.
The exploit had severe repercussions for Aave. Attackers used stolen rsETH as collateral to borrow wrapped Ether, leaving Aave with around $190 million in bad debt. Total value locked on Aave plummeted from about $26.4 billion to below $14 billion as users withdrew liquidity. Although outflows have slowed, TVL has since stabilized between roughly $13.9 billion and $15.1 billion. Aave confirmed that all rsETH markets are now operating normally, and governance actions on May 18 allowed borrowing against wrapped Ether collateral to resume across V3 deployments on Ethereum, Arbitrum, Base, Mantle, and Linea.
The incident has also sparked legal and technical disputes. Approximately 30,765 ETH (around $71 million at the time) frozen by the Arbitrum Security Council on April 21 is subject to competing claims: law firm Gerstein Harrow LLP argues it may be tied to Lazarus Group, while Aave insists the assets belong to affected users. Tensions between Kelp DAO and LayerZero escalated after the exploit; Kelp announced plans to migrate rsETH infrastructure from LayerZero’s OFT framework to Chainlink’s Cross-Chain Interoperability Protocol, citing security concerns. LayerZero CEO Bryan Pellegrino publicly disputed Kelp’s claims about bridge configurations, asserting that Kelp had used a 1/1 configuration for nearly all rsETH volume despite warnings.
The April hack was one of 25 crypto hacks that month, totaling about $630 million in losses and ranking among the worst months since the $1.5 billion Bybit hack in February 2025. The Kelp DAO exploit underscored risks in interconnected DeFi systems, where a single bridge vulnerability can cascade into collateral and liquidity crises. With the recovery plan completed, Kelp DAO’s focus now shifts to maintaining stable rsETH operations, monitoring bridge activity, and rebuilding user trust.
