Aave and Kelp DAO Burn Exploiter’s rsETH, $278M Refill Begins

The largest coordinated DeFi recovery effort of 2026 just hit a critical milestone. Aave and KelpDAO have successfully burned the exploiter’s rsETH on Arbitrum. The first major technical step in restoring full backing for the rsETH liquid restaking token. Kelp and Aave have initiated a two-week refill plan, progressively returning 117,132 rsETH, worth approximately $278 million, to the LayerZero OFT adapter. The teams expect to reopen withdrawals within 24 hours of the first tranche. Aave news today marks the turning point in a recovery effort that has consumed the DeFi industry for nearly four weeks.

How the Exploit Happened

On April 18, 2026, attackers exploited a critical vulnerability in KelpDAO’s LayerZero bridge configuration. The exploit targeted a single-verifier DVN setup. It’s a 1-of-1 attestor configuration that allowed attackers to compromise RPC nodes and feed false data to the bridge. The incident occurred because an attacker fraudulently minted and deployed approximately $292 million in unbacked rsETH as collateral across DeFi protocols like Aave.

The immediate fallout was severe. rsETH depegged sharply. KelpDAO paused all withdrawals, deposits, and bridging operations. Arbitrum’s Security Council froze 30,766 ETH linked to the exploit. The incident triggered over $7 billion in temporary DeFi TVL outflows. It sparked a legal battle when U.S. terrorism judgment creditors filed a restraining notice attempting to seize the frozen ETH as North Korean property. A claim Aave successfully challenged in federal court.

The Recovery Plan in Detail

The technical recovery proceeds in two parallel tracks. First, the 117,132 rsETH refill flows from two sources: the Aave Recovery Guardian multisig and the Kelp Recovery Safe. Both entities are progressively sending these funds into the LayerZero OFT adapter on Ethereum mainnet over the next two weeks. Kelp ensures that rsETH remains fully backed at all times throughout this process. Withdrawals reopen within 24 hours of the first tranche reaching the adapter.

Second, BailSec has already completed and audited a comprehensive security hardening pass. Verification now requires four independent attestors rather than a single verifier. The team has raised block confirmations from 42 to 64. Developers have also deprecated all L2-to-L2 bridge routes. KelpDAO is also migrating to Chainlink’s CCIP for future cross-chain bridging infrastructure.

Aave founder Stani Kulechov captured the weight of the moment directly. “The past few weeks, including weekends, have been incredibly intense,” he said. “None of this would have been possible without the entire team working around the clock on this recovery effort. We’re building a new level of resiliency, and a post-mortem will follow with new learnings.”

What This Means for Investors and Developers

For rsETH holders and Aave users, the withdrawal reopening within 24 hours ends the most disruptive period in KelpDAO’s history. Specifically, full operations, deposits, redemptions, bridging, and claims will resume once contracts are unpaused.

For DeFi developers and protocol architects, the KelpDAO exploit and recovery instead establish a new baseline for bridge security standards. Consequently, single-verifier configurations are no longer acceptable. Indeed, multi-attestor verification, elevated block confirmation requirements, and migration to battle-tested infrastructure like CCIP represent the new minimum viable security posture for any cross-chain protocol handling significant value. Ultimately, DeFi United delivered, and the industry is watching what gets built next.

The post Aave and Kelp DAO Burn Exploiter’s rsETH, $278M Refill Begins appeared first on Coinfomania.