Relay_Station / Zone_39
TECH
13.05.2026
Aave Neutralizes Exploited rsETH, Initiates Phased Liquidity Restore
The incident, which saw approximately $292 million in unbacked rsETH exploited from KelpDAO’s LayerZero bridge on April 18, 2026, stemmed from a sophisticated attack on off-chain infrastructure. Attackers manipulated internal RPC nodes and launched DDoS assaults against external ones, feeding false data to a single-point-of-failure verification network. This deceit tricked the Ethereum contract into releasing 116,500 rsETH, based on a phantom token burn on the Unichain source, where no such event occurred.
The immediate aftermath saw the unbacked rsETH used as collateral on Aave V3 to borrow Wrapped Ether (WETH), generating substantial bad debt within the protocol. This triggered a widespread liquidity crisis across DeFi, leading to an estimated $10 billion decline in Aave's Total Value Locked (TVL) and severely depegging rsETH across over 20 integrated blockchains.
A multi-protocol coalition, "DeFi United," rapidly formed in response, comprising Aave, Mantle DAO, Arbitrum DAO, Consensys, LayerZero, and other key players. This alliance collectively pledged over $300 million in ETH towards the recovery effort to restore the rsETH peg and compensate affected users.
The recent burning of the attacker’s rsETH on Arbitrum represents a concrete technical advancement, as confirmed by Aave's official update. This initial phase specifically targeted neutralizing the attacker's holdings, removing the immediate threat posed by the stolen tokens and aiming to stabilize market confidence.
Aave has outlined a sequential plan for gradually restoring rsETH services. This includes progressively supplying liquidity to the LayerZero OFT adapter, a crucial cross-chain messaging bridge. This phased approach prioritizes security and stability, ensuring each step of liquidity restoration is thoroughly verified before full services resume, facilitating the safe return of funds.
Further progression involves a binding Arbitrum Improvement Proposal (AIP), launched on May 12, with a governance vote commencing on May 15. This proposal seeks to transfer 30,765 ETH, approximately $71 million, from Arbitrum’s Security Council wallet to an Aave LLC-controlled address. A Manhattan federal judge cleared the transfer path on May 9, permitting it through on-chain governance despite an ongoing legal claim from terrorism creditors linked to North Korea's Lazarus Group, to whom the exploit is attributed.
This legal entanglement presents a complex challenge. While the judicial clearance allows the on-chain transfer, the terrorism creditors' legal claim on the funds remains preserved. This implies that Aave LLC might ultimately be compelled to surrender these recovered funds should the court rule in favor of the plaintiffs, extending the recovery beyond technical remediation into traditional legal battles.
Prior to these latest actions, Aave had successfully liquidated the attacker’s eight identified Aave V3 positions on May 6. The recovered rsETH collateral was transferred to a "Recovery Guardian" multisignature wallet, overseen by the DeFi United coalition. Despite these significant efforts and pledges, DeFi United estimates that the coalition still requires approximately 10% more ETH to fully restore rsETH’s backing.
The rsETH incident underscores the critical importance of robust, multi-layered security frameworks and stringent operational practices for decentralized protocols managing substantial assets across diverse chains. It particularly highlights the vulnerabilities inherent in single-verifier bridge configurations and the systemic risks associated with liquid restaking tokens. The ongoing, complex recovery process continues to serve as a vital case study in the resilience and inherent fragility of interconnected DeFi ecosystems.
Signals elevate this to HOT_INTEL priority.
// Related_Intel
More_Signals
‹ Return_to_Terminal
Traffic_Nodes
2
Mobile_Relay / Zone_37