Aave and a group of major DeFi protocols are racing to repair the damage from the KelpDAO rsETH exploit, after an attacker minted roughly 116,500 unbacked rsETH through KelpDAO’s LayerZero-powered bridge on April 18. The attack, valued at around $292 million, quickly became more than a KelpDAO problem because the attacker used a large portion of the unbacked rsETH as collateral in lending markets, including Aave V3.
The response is now being coordinated under the name “DeFi United,” a cross-protocol recovery effort designed to restore rsETH backing, limit losses for users, and prevent a bridge exploit from turning into a deeper lending-market crisis. Aave service providers said the remaining gap is being addressed through public contributions, Mantle’s credit facility, and a proposed Aave DAO treasury contribution.
How the KelpDAO Exploit Hit Aave
The Attack Targeted Cross-Chain Verification
The incident appears to have centered on KelpDAO’s cross-chain bridge configuration rather than a simple smart contract bug. Chainalysis described the exploit as an attack on off-chain infrastructure, saying attackers compromised internal RPC nodes and used a single-point-of-failure verification setup to make a phantom token movement appear valid.
LayerZero said the incident was isolated to KelpDAO’s rsETH configuration and argued that there was no contagion to other assets or applications using the protocol. KelpDAO has disputed LayerZero’s framing, saying the single-verifier setup reflected LayerZero’s documented default rather than a rogue configuration choice.
Fake Collateral Became Real Debt
Once the unbacked rsETH was created, the attacker spread the tokens across several addresses and used them inside DeFi lending markets. Aave’s own incident report said the attacker supplied rsETH as collateral on Aave V3 across Ethereum and Arbitrum, with multiple rsETH-backed loans remaining active after the exploit.
That is what made the incident especially dangerous. The rsETH collateral no longer had the backing users expected, but the assets borrowed against it were real. Unchained reported that nearly 90,000 rsETH was deposited into Aave as collateral, allowing the attacker to borrow roughly $190 million in ETH and other assets.
DeFi United Tries to Fill the Hole
Aave’s latest governance update puts the residual gap at about 75,081 ETH. The proposed recovery stack includes 14,570 ETH in committed contributions from EtherFi, Lido, Ethena, Ink, BGD Labs, Ernesto, Emilio, and Aave founder Stani Kulechov, plus a Mantle credit facility of up to 30,000 ETH.
The Aave DAO is now being asked to authorize a 25,000 ETH treasury contribution as part of the broader coalition plan. According to the governance proposal, the contribution would remain fixed even if more public donations arrive later, with additional funds instead used to repay Mantle and reduce Aave’s exposure to outside creditors.
Arbitrum’s Frozen ETH Could Be Critical
One major piece of the recovery depends on funds frozen by Arbitrum. CoinDesk reported that Arbitrum’s Security Council froze 30,766 ETH, worth about $71 million, tied to the KelpDAO exploit. That move could become an important source of recovery, although the timing and governance process around releasing those funds remain separate from Aave’s own proposal.
Aave’s governance post says the coalition may need to place the full 120,015 ETH into a LayerZero lockbox to execute the recovery, partly because some recoveries, including the Arbitrum freeze and liquidations of attacker positions, are not yet liquid. That means DeFi United is not only raising funds, but also trying to manage timing risk across several protocols and governance systems.
Why This Matters for DeFi
The KelpDAO exploit is a reminder that DeFi risk does not always begin inside the protocol that absorbs the loss. Aave did not suffer the original bridge failure, but its lending markets became the place where unbacked collateral was converted into real borrowed assets.
That composability is usually one of DeFi’s strengths. Users can move assets between restaking protocols, bridges, and lending platforms in minutes. In this case, the same speed helped a bridge incident spill into one of the industry’s most important lending markets.
The rescue effort also raises uncomfortable questions. DeFi United may protect users and stabilize markets, but it also shows how much the sector still depends on emergency coordination, treasury backstops, security councils, and governance votes when a large exploit hits. That is not necessarily a failure, but it is a reality check for an industry built around permissionless systems.
What Comes Next
The key items to watch are Aave’s 25,000 ETH treasury vote, Mantle’s 30,000 ETH credit facility, and Arbitrum DAO’s handling of the 30,766 ETH frozen by its Security Council. If those pieces move forward as planned, DeFi United could substantially close the rsETH shortfall and reduce the risk of lasting damage to Aave’s lending markets.
The process is still not finished. Governance approvals, legal arrangements, asset releases, and repayment waterfalls all need to line up. For rsETH holders and Aave users, the most important question is no longer whether the industry wants to respond. It is whether DeFi United can turn pledged support into deployable capital fast enough to make users whole.
