More than five weeks after a $293 million hack – which investigators believe was carried out by the Lazarus Group, a North Korean hacking organization – Kelp DAO has finished putting its recovery plan into action. The plan aimed to address the losses suffered by the Ethereum liquid staking protocol.
Summary
- Kelp DAO has completed the final operational step in its rsETH recovery plan after April’s $293 million exploit linked to Lazarus Group.
- Aave’s lending markets are still recovering after attackers used stolen rsETH as collateral to borrow wrapped Ether and leave nearly $190 million in bad debt.
Kelp DAO announced on Monday that it had sent the last of its rsETH – a total of 20,373.7 – to LayerZero. LayerZero will use these tokens to manage the process of moving tokens between different blockchains, including locking, creating, destroying, and releasing them.
Earlier today, we sent the last portion of 20,373.72 rsETH to the rsETH OFT adapter. This completes the practical steps of the rsETH recovery plan. Transaction details are available at the link provided.
— Kelp (@KelpDAO) May 25, 2026
As a Kelp DAO investor, I’m relieved to hear they’ve finished the last step needed to fully back rsETH after that hack back in April. It’s good to know they’ve recovered from losing 116,500 rsETH from their bridge and are now making things right.
Kelp DAO has restored the ability to withdraw funds and move rsETH between Ethereum and several layer 2 networks. This followed an initial transfer of 25,000 rsETH on May 13th.
Just a quick update: Aave has now sent the initial batch of rsETH to the LayerZero OFT Adapter, following the restart plan we discussed with Kelp. This means bridging is working again, and users can now freely move rsETH between the main Ethereum network and Layer 2 networks.
1. rsETH contracts will be…
— Kelp (@KelpDAO) May 13, 2026
The protocol has been updated to confirm that creating, redeeming, and earning rewards with rsETH are all working as expected now.
The funds used to rebuild the token’s value were partially provided by DeFi United, a collaborative effort where several decentralized finance platforms worked together to offer support after the security breach.
Aave still dealing with aftermath of exploit
The recent attack on Kelp DAO is still causing problems for lending on Aave.
Following the security breach, the attackers used a significant amount of the stolen rsETH as collateral on Aave and borrowed wrapped Ether. Legal documents and governance records indicated this created almost $190 million in outstanding debt across various Aave markets.
As I monitored Aave following those events, data from DefiLlama revealed a significant drop in its total value locked – it fell from over $26 billion to under $14 billion as users pulled their funds out of the lending pools. While the rate of withdrawals has decreased recently, the protocol’s TVL has stabilized, fluctuating between approximately $13.9 billion and $15.1 billion.
Aave has brought some of its features back online after recent security measures. On May 18th, Aave’s creator, Stani Kulechov, announced that users could once again borrow using wrapped Ether as collateral on several versions of Aave V3, including those running on Ethereum, Arbitrum, Base, Mantle, and Linea. This followed a vote by Aave’s community to temporarily limit certain functions after a security issue allowed unsupported rsETH to be used in lending.
LayerZero dispute and legal battle continue
Legal issues surrounding roughly $71 million worth of Ether (approximately 30,765 ETH) that was frozen following the incident remain ongoing. Court documents revealed that after blockchain analysis connected the exploit to hackers believed to be associated with North Korea, multiple parties began making legal claims to the frozen funds. The Arbitrum Security Council initially froze the Ether on April 21st.
The law firm Gerstein Harrow LLP, representing families who won court cases against North Korea related to terrorism, argued that certain assets could be linked to the activities of a hacking group called Lazarus Group. However, Aave, a financial platform, disagrees, stating that no court has officially confirmed North Korea or Lazarus Group was responsible for the security breach and that the recovered funds should go back to the users who were affected.
After the recent security incident, disagreements arose between Kelp DAO and LayerZero. Kelp DAO announced they will be moving their rsETH system from LayerZero’s technology to Chainlink’s, citing improved security as the reason.
Bryan Pellegrino, the co-founder and CEO of LayerZero, has disputed several assertions made by Kelp DAO concerning how their bridge is set up and its security checks.
From my analysis, a lot of what’s being said isn’t accurate. Here’s what I’ve found: First, Kelp initially launched with standard configurations – either MultiDVN or DeadDVN – and later switched to a 1/1 setup manually. Second, nearly all the activity on that 1/1 configuration was focused on rsETH. And finally, it’s been repeatedly pointed out that running production applications without a 1/1 configuration isn’t recommended.
— Bryan Pellegrino (臭企鹅) (@PrimordialAA) May 5, 2026
Read More
- Gold Rate Forecast
- BTC PREDICTION. BTC cryptocurrency
- Brent Oil Forecast
- NEAR PREDICTION. NEAR cryptocurrency
- EUR CNY PREDICTION
- WLD PREDICTION. WLD cryptocurrency
- USD TRY PREDICTION
- SOL PREDICTION. SOL cryptocurrency
- TON PREDICTION. TON cryptocurrency
- SHIB PREDICTION. SHIB cryptocurrency
2026-05-26 10:58