The largest coordinated DeFi recovery effort of 2026 just reached a crucial milestone. Aave and KelpDAO successfully burned the exploiter’s rsETH on Arbitrum. The first major technical step in restoring full support for the rsETH liquid re-withdrawal token. Kelp and Aave have initiated a two-week refill plan that will gradually return 117,132 rsETH, worth approximately $278 million, to the LayerZero OFT adapter. The teams expect to reopen filming within 24 hours of the first tranche. Aave news today marks the turning point in a recovery effort that has taken the DeFi industry nearly four weeks.
How the exploit happened
On April 18, 2026, attackers exploited a critical vulnerability in KelpDAO’s LayerZero bridge configuration. The exploit targeted a single-authentication DVN installation. It is a 1-to-1 attestor configuration that allowed attackers to compromise RPC nodes and send fake data to the bridge. The incident occurred because an attacker fraudulently used approximately $292 million in unbacked rsETH as collateral and staked it through DeFi protocols such as Aave.
The immediate consequences were serious. rsETH decoupled sharply. KelpDAO has halted all withdrawals, deposits and bridge operations. The Arbitrum Security Council froze 30,766 $ETH linked to the exploit. The incident caused more than $7 billion in temporary outflows from DeFi TVL. It led to a legal battle when creditors of the US terrorism judgment filed a restraining order in an attempt to seize the frozen goods $ETH as North Korean property. A claim that Aave successfully challenged in federal court.
The recovery plan in detail
The technical recovery takes place in two parallel tracks. First, the 117,132 rsETH refill flows from two sources: the Aave Recovery Guardian multisig and the Kelp Recovery Safe. Both entities will gradually send these funds to the LayerZero OFT adapter on the Ethereum mainnet over the next two weeks. Kelp ensures that rsETH remains fully supported at all times during this process. Withdrawals will reopen within 24 hours after the first tranche reaches the adapter.
The first set of steps in rsETH’s technical recovery plan has been completed, including burning the exploiter’s rsETH on Arbitrum. Gradual refilling of the LayerZero OFT adapter and reopening of rsETH operations will follow in the coming days. https://t.co/p1tiIzp5Nr
— Aave (@aave) May 12, 2026
Second, BailSec has already completed and audited a comprehensive security hardening pass. Verification now requires four independent attestors instead of a single verifier. The team has increased block confirmations from 42 to 64. Developers have also terminated all L2-to-L2 bridge routes. KelpDAO is also migrating to Chainlink’s CCIP for future cross-chain bridging infrastructure.
Aave founder Stani Kulechov immediately captured the weight of the moment. “The last few weeks, including the weekends, have been incredibly intense,” he said. “None of this would have been possible without the entire team working around the clock on this recovery effort. We are building a new level of resilience, and there will be a post-mortem with new lessons learned.”
What this means for investors and developers
For rsETH holders and Aave users, the reopening of withdrawal within 24 hours ends the most disruptive period in KelpDAO’s history. In particular, full operations, deposits, repayments, bridging and claims will resume once contracts are paused again.
For DeFi developers and protocol architects, the KelpDAO exploit and recovery instead set a new baseline for bridge security standards. Consequently, single verifier configurations are no longer acceptable. Indeed, multi-attestor authentication, increased block confirmation requirements, and migration to proven infrastructure like CCIP represent the new minimum viable security posture for any cross-chain protocol that handles significant value. Ultimately, DeFi United delivered and the industry is looking at what gets built next.