Kelp DAO said it restored backing and full functionality for rsETH roughly five weeks after an April 18, 2026 exploit drained about $293 million. The recovery aimed to neutralize unbacked minting and restore user access to deposits, redemptions and bridging across Ethereum mainnet and supported Layer 2 networks.
The response was coordinated with Aave and other DeFi coalition partners after the exploit disrupted liquidity and created pressure across lending markets. The incident showed how cross-chain failures can spread quickly into collateral, lending and withdrawal systems when unbacked assets enter active DeFi venues.
Cross-Chain Forgery Created Unbacked rsETH
Attackers exploited Kelp DAO’s LayerZero-powered cross-chain bridge by forging messages tied to a single-signer verifier and compromised RPC infrastructure. That weakness allowed the minting of roughly 116,500 to 117,132 unbacked rsETH, which was then used as collateral in lending markets.
The final tranche of 20,373.72 rsETH has been sent to the rsETH OFT adapter earlier today. This closes the operational part of the rsETH recovery plan.
— Kelp (@KelpDAO) May 25, 2026
The scale of the damage was significant. About 117,132 rsETH was later burned on Arbitrum, representing roughly $278 million in attacker-linked tokens that had to be neutralized before collateral parity could be restored.
The exploit also triggered large withdrawals and a sharp contraction in Aave’s TVL. Aave reportedly accumulated about $190 million in bad debt, while Arbitrum authorities froze around $71 million in assets connected to the incident.
Recovery Focuses on Collateral Parity and Safer Bridges
Kelp DAO and Aave executed a phased recovery plan that combined token burns, replenishment tranches and controlled conversion of committed ether into rsETH. Funds from Aave’s Recovery Guardian multisig and Kelp’s Recovery Safe were used to rebuild backing over roughly two weeks.
After the first tranche was completed on May 13, Kelp DAO said rsETH supply across Ethereum mainnet and supported Layer 2 networks was fully collateralized. Aave transferred the initial restoration batch into the LayerZero OFT adapter, with withdrawals expected to resume within 24 hours of that step.
The technical response also tightened bridge security. Kelp raised verification requirements to four independent attestors and increased block confirmations from 42 to 64, reducing reliance on weaker cross-chain assumptions.
The protocol also deprecated less secure Layer 2 routes and began migrating toward Chainlink’s CCIP. That shift reflects a broader attempt to harden cross-chain messaging, even if stronger controls may affect bridging throughput and settlement timing.
The restoration removes a major source of nominal undercollateralization, but some workstreams remain open. Frozen assets, legal recovery and the unwind of Aave bad debt still matter for the final economic outcome of the exploit.
The lesson is operational as much as financial. Coordinated capital support can restore token parity after a major exploit, but cross-chain infrastructure failures can still transmit systemic liquidity stress into lending venues within hours.
