Aave and Kelp have completed the first phase of their technical recovery plan by burning all attacker-held rsETH tokens on the Arbitrum network on May 12. This marks a critical milestone in repairing the damage caused by the exploit in April, which targeted a vulnerability in the LayerZero bridge and allowed for the illicit creation of over 116,000 unbacked rsETH tokens.
How the exploit unfolded
In April, a security flaw was discovered in the LayerZero-powered bridge connecting Kelp’s Unichain with Ethereum. Exploiting this vulnerability, the attacker managed to mint a total of 116,500 unbacked rsETH and transfer them to Ethereum. According to the official protocol report, the bridge’s one-to-one verification model allowed cross-chain transfers to occur with only a single approval. The attacker generated a fraudulent message claiming that rsETH had been burned on the source chain, thus obtaining newly minted and unbacked rsETH on Ethereum.
Using these rsETH tokens as collateral on the Aave V3 platform, the attacker was able to borrow WETH and wstETH amounting to a value between $190 million and $236 million. In total, the protocol was drained of $292 million in bad debt, with unbacked rsETH circulating in the system.
Recovery coalition steps in
In the wake of the attack, a broad coalition known as DeFi United sprang into action to coordinate the recovery. The goal was to re-collateralize the rsETH tokens without socializing user losses. Significant contributions came from Lido (2,500 stETH), EtherFi (5,000 ETH), LayerZero (10,000 ETH), Golem (1,000 ETH), Ethena, Mantle, and Aave’s founder Stani Kulechov (5,000 ETH), amounting to over $327 million in ETH commitments.
One of the recovery measures involved liquidating the attacker’s frozen funds on Aave. The proposal was approved in the protocol’s DAO vote with 190 million ARB tokens, securing 90% approval. Additionally, a ruling by U.S. District Judge Margaret Garnett on May 9 authorized the transfer of roughly 30,765 ETH (around $71 million) to an Aave-controlled wallet by the Arbitrum Security Council.
Next steps and market impact
With the May 12 burn, every unbacked rsETH in circulation has now been removed from the system. Over the next two weeks, 117,132 rsETH will be gradually transferred from the Aave Recovery Guardian and Kelp Recovery Safe pools to the mainnet LayerZero OFT adapter.
Stani Kulechov highlighted that refilling the rsETH vault on the bridge is the final step, and withdrawals from rsETH to ETH are expected to resume within the next 24 hours, anticipating a return to market equilibrium.
Despite $10 billion in outflows immediately after the exploit, Aave’s total value locked (TVL) has stabilized over $15 billion. Utilization rates for WETH (93%), USDT (92%), and USDC (91%) indicate that withdrawal pressure has now eased.
Unlike previous DeFi incidents, this recovery was conducted entirely on-chain. In the Ronin Bridge attack, losses were compensated with external capital, while in the Euler Finance case, the attacker returned the stolen funds. By contrast, Aave and Kelp both isolated the attacker’s collateral and liquidated it on-chain, rebuilding reserves through coalition contributions.
Furthermore, the intervention of a U.S. federal court and the necessity of legal approval for fund transfers make this event one of the first of its kind in the DeFi sector.
