Aave and Kelp burned the exploiter’s rsETH holdings on Arbitrum on May 12, Aave said in an X post, confirming the first phase of the technical recovery plan has been completed. The first set of steps in the rsETH technical recovery plan are complete, including burning the exploiter's rsETH on Arbitrum. Progressively refilling the LayerZero OFT adapter and reopening rsETH operations will follow over the coming days. https://t.co/p1tiIzp5Nr — Aave (@aave) May 12, 2026 The action removes the last remaining unbacked rsETH from circulation following the April 18 LayerZero bridge exploit that drained $292 million from the protocol. The attack involved 116,500 unbacked rsETH minted through a vulnerability in Kelp’s LayerZero-powered bridge between Unichain and Ethereum, according to an incident report posted on Aave’s governance forum . The route relied on a 1-of-1 verifier configuration, meaning a single verifier approval was sufficient to validate cross-chain transfers. The attacker forged a message that falsely indicated rsETH had been burned on the source chain, releasing unbacked tokens on Ethereum. Those tokens were then deposited into Aave V3 markets as collateral, allowing the attacker to borrow between $190 million and $236 million in WETH and wstETH. What completes Phase 1 DeFi United, the coalition formed to address the exploit, raised over $327 million in ETH commitments to restore rsETH backing without socializing losses. Contributors include Lido (2,500 stETH), EtherFi (5,000 ETH), LayerZero (10,000 ETH), Ethena, Mantle, Golem (1,000 ETH), and Aave founder Stani Kulechov personally (5,000 ETH). On May 9, U.S. District Judge Margaret Garnett issued an order modifying a prior asset freeze, clearing the Arbitrum Security Council to transfer approximately 30,765 ETH worth roughly $71 million to an Aave LLC-controlled wallet. The ruling removed the last legal hurdle to executing the recovery plan after a May 1 restraining notice tied to unrelated North Korean terrorism judgments had blocked the transfer. As Cryptopolitan reported , Aave’s DAO had previously voted to liquidate the attacker’s frozen ETH funds, with approval from 90% of voting addresses backed by 190 million ARB tokens. Galaxy Digital’s vice president of research, Thaddeus Pinakiewicz, said the overall recovery effort is now approximately 90% complete. What happens over the next two weeks Kelp said 117,132 rsETH will be “progressively refilled from Aave Recovery Guardian and Kelp Recovery Safe into the LayerZero OFT adapter on mainnet” over the next two weeks. Kulechov wrote on X that “the last step is to refill the rsETH bridge lockbox,” adding that withdrawals converting rsETH into ETH would begin within 24 hours to normalize the markets. Aave’s total value locked stabilized above $15 billion after initial outflows of over $10 billion in the days following the exploit. WETH lending utilization sits at 93%, with USDT at 92% and USDC at 91%, signaling the withdrawal pressure has ended. How the response differs from past DeFi exploits The rsETH recovery has followed a different route from earlier major hacks. The Ronin Bridge attack required heavy outside funding and recovered assets to compensate users for losses exceeding $600 million. The Euler Finance exploit ended with the attacker returning most of the stolen funds after negotiations and public pressure. Aave and Kelp took neither path. Instead, the recovery focused on isolating bad collateral, liquidating the attacker’s positions on-chain, removing exploiter-controlled tokens from circulation through the May 12 burn, and rebuilding reserves inside the bridge infrastructure through coalition-funded refills. It is also the first major DeFi exploit recovery to navigate a U.S. federal court intervention and proceed with user funds flowing back through governance-coordinated channels. If you're reading this, you’re already ahead. Stay there with our newsletter .
