Kelp DAO begins redeeming rsETH after April exploit


  • Kelp DAO and Aave say the rsETH crunch is over, with the exploit-related burn on Arbitrum completed and 117,132 rsETH now being refilled.

  • The April 18 incident was a bridge-and-oracle-style attack, where forged data led the system to believe that rsETH had been burned when it had not.

  • Kelp is strengthening its security model by adding more verification parties, raising confirmation thresholds, and terminating risky paths from L2 to L2.

Today, we are witnessing one of the most sophisticated recovery efforts in the history of the industry. After a horrific month of delinking and bad debt fears, Kelp DAO and Aave have officially signaled the end of the “rsETH crisis.”

As of May 13, 2026, recovery was well underway. The “burn exploit” on Arbitrum has been completed, the backfill of 117,132 rsETH has begun, and the security architecture of the most popular liquid retrieval token (LRT) has been essentially rebuilt from the ground up. This is not just a technical correction; It’s a masterclass in ecosystem resilience.

Anatomy of “phantom” burns.

​To understand the recovery, we have to look at the chaos that occurred on April 18, 2026. This was not a standard smart contract error or a simple key leak. According to AA comprehensive post-mortem by ChainalogyKelp DAO was the victim of a high-fidelity RPC poisoning attack orchestrated by the North Korean Lazarus Group.

The target was the LayerZero Omnichain Fungible Token (OFT) converter. The attackers compromised the final RPC nodes that LayerZero investigators relied on to monitor the “source” chain (in this case, Uniswap’s Unichain L2). By feeding forged data to a single validator configuration, the attackers tricked the bridge into thinking that 116,500 rsETH had been burned on Unichain, when in fact, the supply was still there. The bridge, based on the “verified” message, released an equivalent amount of rsETH on the Ethereum mainnet directly into the hacker’s lap.

This was exploitation of the “surveillance class.” It has exposed a critical vulnerability in DeFi infrastructure: even a perfect smart contract is only as secure as the data feed it trusts. The repercussions were immediate. the rsETH stolen It was used as collateral on Aave v3 and Compound to borrow WETH, creating nearly $300 million in bad debt and causing the rsETH peg to fall to $2,800 while ETH was trading at $3,500.

Rebuilds collateral worth 117,132 rsETH

The update shared by Kelp DAO today marks the move from “damage control” to “restoration.” Recovery involves highly coordinated movement of assets between Aave Recovery Guardian and Kelp DAO Recovery Safe.

Over the next 14 days, a total of 117,132 rsETH will be gradually refilled into the LayerZero OFT switch on the Ethereum mainnet. This backfill ensures that every rsETH token traded across the 20+ backed Layer 2 backings is backed 1:1 by real collateral in the mainnet escrow.

“rsETH on Mainnet and L2s remains fully supported at all times during this transition period,” The team confirmed.

Most importantly, the first tranche of this refill for the LayerZero OFT switch is the “green light” for users. Kelp DAO intends to unpause withdrawals within 24 hours of this initial deposit. Once contracts are no longer paused, all standard operations, including recoveries, claims and bridges, will resume as usual. For thousands of users whose capital has been sidelined for weeks, this is the light at the end of the tunnel.

Eliminate the shadow of the hacker

It was one of the most complicated pieces of the recovery puzzle to deal with rsETH is still held by the scalper on Arbitrum. Because the attacker had posted the stolen tokens as collateral, he effectively had a “claim” on the system, compromising the integrity of the recovery process.

Working closely with the Arbitrum Security Board and Aave Governance, the Recovery Alliance was able to isolate and burn the exploiter’s rsETH holdings at Arbitrum. This “surgical removal” of illicitly minted tokens was a prerequisite for refilling. By burning the hacker’s shadow supply, the team ensured that the new ETH coin injected into the system actually backed the user’s tokens, rather than providing an exit to the Lazarus pool.

BailSec audit and death of L2 to L2 paths

Kelp DAO doesn’t just refill coffers; They are building a castle. The protocol recently completed a stringent “security hardening pass” audited by BailSec. The goal was to eliminate the “single point of failure” that allowed the April exploit to occur.

Major infrastructure upgrades:

  • Expanded Quorum: Verification now requires 4 independent validators (DVNs), moving away from the 1-of-1 configuration that was previously based solely on LayerZero Labs.
  • End Improvement: Block assertions for cross-chain messages have been raised from 42 to 64. This greatly increases the cost and difficulty of a “chain reorganization” or “data blocking” attack.
  • ​Path deprecation: All bridge paths from L2 to L2 have been deprecated. All bridging activity should now move through the Ethereum L1 core, ensuring that the “source of truth” is always the most secure chain in the ecosystem.

​This shift toward multi-source verification is a direct response to the RPC poisoning method used by Lazarus. By requiring consensus from four different organizations, Kelp DAO ensured that an attacker would need to compromise the infrastructure of multiple independent companies simultaneously – a feat that is an order of magnitude more difficult than attacking a single node.

Pivot to Chainlink CCIP

Perhaps the most important long-term development is Kelp DAO’s decision to do soMove away from LayerZero and towards Chainlink CCIP. The move reflects the growing dispute between Kelp and LayerZero regarding liability for the April 18 incident.

While LayerZero maintains that the exploit was the result of Kelp’s “misconfigured” 1-of-1 DVN setting, the Kelp DAO says default settings and a lack of timely infrastructure warnings were the root cause. By choosing Chainlink’s Cross-Chain Interoperability Protocol (CCIP), Kelp DAO is opting for a model that requires consensus from 16 independent node operators.

The transition to the Chainlink Cross-Chain Token (CCT) standard is expected to be completed in the coming months. This shift represents a broader trend for the industry in 2026: as volumes rise across chains, “convenience” is sacrificed for “verifiable security.”

Kelp DAO hack shows DeFi stands united

Kelp DAO’s rsETH recovery is a testament to the maturity of the decentralized financial system. A year ago, a $292 million exploit could have created a catastrophic contagion that wiped out secondary lending markets. In 2026, we saw Aave, Mantle, and DeFi United step in within hours to form the “Recovery Guardian” alliance.

​From Stani Kuleshov’s personal pledge of 5,000 ETH to the Arbitrum governance vote that paved the way for the scalper’s burnout, the recovery proves that “community” is more than just a buzzword in DeFi — it’s a defense layer.

With withdrawals halted and rsETH operations returning to normal, the takeaway for the rest of the market is clear: infrastructure is the new battleground. In the age of Alpenglow and CCIP, the protocols that will survive will not be those that ignore risks, but those that build systems resilient enough to recover from them.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Forex Explained – What are Forex pairs?
Are you an investor in the “safe elite” of AI?
Previous performance: December 2018
Toncoin (TON) price predictions 2025, 2026, 2027-2030