Kelp DAO Begins Recovering rsETH After the April Exploit

Today, we are witnessing one of the most sophisticated recovery efforts in the history of the industry. Following a harrowing month of de-pegs and bad debt scares, Kelp DAO and Aave have officially signaled the end of the “rsETH Crisis.”

​As of May 13, 2026, the recovery is in full swing. The “exploit-burn” on Arbitrum is complete, the refill of 117,132 rsETH has begun, and the security architecture of the most popular liquid restaking token (LRT) has been fundamentally rebuilt from the ground up. This isn’t just a technical patch; it’s a masterclass in ecosystem resilience.

The Anatomy of the “Phantom” Burn

​To understand the recovery, we have to look back at the chaos of April 18, 2026. This wasn’t a standard smart contract bug or a simple key leak. According to acomprehensive post-mortem by Chainalysis, Kelp DAO was the victim of a high-precision RPC poisoning attack orchestrated by the North Korean Lazarus Group.

​The target was the LayerZero Omnichain Fungible Token (OFT) adapter. The attackers compromised the downstream RPC nodes that the LayerZero verifiers relied on to observe the “source” chain (in this case, Uniswap’s Unichain L2). By feeding forged data to a single-verifier configuration, the attackers tricked the bridge into believing that 116,500 rsETH had been burned on Unichain, when in reality, the supply was still there. The bridge, acting on the “verified” message, released the equivalent amount of rsETH on the Ethereum mainnet directly into the hacker’s lap.

​This was an “observation-layer” exploit. It exposed a critical vulnerability in DeFi’s infrastructure: even a perfect smart contract is only as secure as the data feed it trusts. The fallout was immediate. The stolen rsETH was used as collateral on Aave v3 and Compound to borrow WETH, creating nearly $300 million in bad debt and causing the rsETH peg to drop as low as $2,800 while ETH traded at $3,500.

Rebuilding the 117,132 rsETH Escrow

The update shared by Kelp DAO today marks the transition from “damage control” to “restoration.” The recovery involves a highly coordinated movement of assets between the Aave Recovery Guardian and the Kelp DAO Recovery Safe.

​Over the next 14 days, a total of 117,132 rsETH will be progressively refilled into the LayerZero OFT adapter on Ethereum mainnet. This refill ensures that every single rsETH token circulating across the 20+ supported Layer 2s is once again backed 1:1 by real collateral in the mainnet escrow.

​”rsETH on Mainnet and L2s remains fully backed at all times during this transition,” the team confirmed.

​Crucially, the first tranche of this refill to the LayerZero OFT adapter is the “green light” for users. Kelp DAO intends to unpause withdrawals within 24 hours of this initial deposit. Once the contracts are unpaused, all standard operations, including redemptions, claims, and bridging, will resume as usual. For the thousands of users who have had their capital sidelined for weeks, this is the light at the end of the tunnel.

Eliminating the Hacker’s Shadow

One of the most complex pieces of the recovery puzzle was dealing with the rsETH still held by the exploiter on Arbitrum. Because the attacker had posted the stolen tokens as collateral, they effectively had a “claim” on the system that threatened the recovery’s integrity.

​Working closely with the Arbitrum Security Council and Aave governance, the recovery coalition managed to isolate and burn the exploiter’s rsETH holdings on Arbitrum. This “surgical removal” of the illicitly minted tokens was the prerequisite for the refill. By burning the hacker’s shadow supply, the team ensured that the new ETH being injected into the system actually backs legitimate user tokens, rather than providing an exit for the Lazarus Group.

The “BailSec” Audit and the Death of L2-to-L2 Routes

Kelp DAO isn’t just refilling the coffers; they are building a fortress. The protocol recently completed a rigorous “security hardening pass” audited by BailSec. The goal was to eliminate the “single point of failure” that allowed the April exploit to happen.

​Key Infrastructure Upgrades:

• ​Quorum Expansion: Verification now requires 4 independent attestors (DVNs), moving away from the 1-of-1 configuration that previously relied solely on LayerZero Labs.

• ​Enhanced Finality: Block confirmations for cross-chain messages have been raised from 42 to 64. This significantly increases the cost and difficulty of a “chain-reorg” or a “data-withholding” attack.

• ​Route Deprecation: All L2-to-L2 bridging routes have been deprecated. All bridging activity must now move through the Ethereum L1 hub, ensuring that the “source of truth” is always the most secure chain in the ecosystem.

​This shift toward multi-source verification is a direct response to the RPC poisoning method used by Lazarus. By requiring consensus from four different organizations, Kelp DAO has ensured that an attacker would need to compromise the infrastructure of multiple independent firms simultaneously—a feat that is orders of magnitude more difficult than attacking a single node

The Pivot to Chainlink CCIP

Perhaps the most significant long-term development is Kelp DAO’s decision tomigrate away from LayerZero and toward Chainlink CCIP. This move reflects a growing rift between Kelp and LayerZero regarding responsibility for the April 18 incident.

​While LayerZero maintains that the exploit was the result of Kelp’s “misconfigured” 1-of-1 DVN setup, Kelp DAO argues that the default settings and lack of timely infrastructure warnings were the root cause. By choosing Chainlink’s Cross-Chain Interoperability Protocol (CCIP), Kelp DAO is opting for a model that requires consensus from 16 independent node operators.

​The move to the Chainlink Cross-Chain Token (CCT) standard is expected to be completed in the coming months. This transition marks a broader industry trend in 2026: as cross-chain volumes surge, “convenience” is being sacrificed for “verifiable security.”

Kelp DAO Hack Shows DeFi Stands United

The recovery of Kelp DAO’s rsETH is a testament to the maturation of the decentralized financial system. A year ago, a $292 million exploit might have triggered a catastrophic contagion that wiped out secondary lending markets. In 2026, we saw Aave, Mantle, and DeFi United step in within hours to form a “Recovery Guardian” coalition.

​From Stani Kulechov’s personal 5,000 ETH pledge to the Arbitrum governance vote that paved the way for the exploiter’s burn, the recovery proves that “community” is more than just a buzzword in DeFi—it is a defensive layer.

​As withdrawals unpause and rsETH operations return to normal, the takeaway for the rest of the market is clear: Infrastructure is the new battleground. In the Alpenglow and CCIP era, the protocols that survive won’t be the ones that ignore risk, but the ones that build systems resilient enough to recover from it.