Kelp And Aave Complete First Phase Of $292 Million Rseth Recovery

@KelpDAO and @aave have cleared the first major hurdle in recovering from April's $292 million rsETH exploit, burning the attacker's tokens on Arbitrum and kicking off a two-week program to restore 117,132 rsETH into the LayerZero OFT adapter on Ethereum mainnet.

The 117,132 rsETH will be progressively refilled from the Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter over the next two weeks, with withdrawals expected to resume tentatively within 24 hours after the first tranche is deposited into the adapter. Teams expect deposits, redemptions, bridging, and claim functions to resume after contracts are unpaused.

What Happened in April

On April 18, 2026, attackers linked to North Korea's Lazarus Group stole approximately $292 million in rsETH from Kelp DAO's LayerZero bridge. Crucially, this was not a smart contract hack, but a sophisticated attack on off-chain infrastructure. Attackers compromised two RPC nodes and used a DDoS attack to force failover, tricking LayerZero's verifier into approving a fraudulent cross-chain transaction.

Kelp's bridge configuration at the time relied on a 1-of-1 DVN setup, with LayerZero Labs as the sole verifier, a configuration that directly contradicts the multi-DVN redundancy model LayerZero has consistently recommended. Operating a single-point-of-failure meant there was no independent verifier to catch and reject a forged message.

The attacker deposited the stolen rsETH onto Aave V3 as collateral and borrowed wrapped ether against it, leaving roughly $196 million in bad debt concentrated in the rsETH-WETH pair on Ethereum. The incident triggered billions in withdrawals from lending markets and set off a legal dispute in a Manhattan federal court that remains unresolved.

Security Overhaul and Migration to Chainlink CCIP

Last week, teams completed a security hardening pass across LayerZero bridging settings. Verification now requires four independent attestors, and block confirmation thresholds rose from 42 to 64. The teams also deprecated all L2-to-L2 routes to reduce the attack surface.

The $292 million exploit has led Kelp to migrate rsETH off LayerZero's OFT standard to Chainlink's Cross-Chain Interoperability Protocol (CCIP). Chainlink's CCIP uses a fundamentally different architecture that requires at least 16 independent node operators to validate cross-chain transactions, rather than relying on a single verifier. The fallout has pushed nearly $2 billion in protocol assets toward Chainlink CCIP, with Solv Protocol also confirming its migration away from LayerZero.

For its part, LayerZero has since walked back its initial framing of the incident. The protocol acknowledged that it should not have allowed its DVN to serve as the sole verifier for high-value transactions, stating: "we made a mistake by allowing our DVN to act as a 1/1 DVN for high-value transactions."

Sources:
CoinDesk: Kelp DAO exploited for $292 million
Crypto Times: Kelp DAO and Aave set to resume rsETH operations
Chainalysis: Inside the KelpDAO Bridge Exploit