Aave and its partners have raised about $160 million toward covering the bad debt left by the KelpDAO rsETH bridge exploit, but the recovery effort now depends heavily on whether Arbitrum governance agrees to release more than 30,000 ETH frozen after the attack.
The April 18 exploit targeted KelpDAO’s LayerZero-based rsETH bridge and minted 116,500 unbacked rsETH, worth roughly $292 million at the time. The attacker then deposited nearly 90,000 rsETH into Aave V3 and borrowed real assets against collateral that no longer had proper backing.
That left Aave facing a major bad-debt problem. The borrowed assets were real, but the rsETH collateral behind them became impaired and difficult to liquidate without causing deeper losses across lending markets.
How the Exploit Turned Into an Aave Problem
Fake Collateral Created Real Debt
The KelpDAO bridge bug did not begin inside Aave, but Aave became the largest pressure point because its markets accepted rsETH as collateral. Once the attacker minted unbacked rsETH, they were able to use it inside Aave V3 across Ethereum and Arbitrum.
Reports estimate that the attacker supplied around 89,567 rsETH into Aave and borrowed roughly $190 million to $196 million in WETH and related assets. That created a serious mismatch. Aave was left holding collateral that looked valid inside the protocol but was no longer fully backed by ETH.
This is the kind of composability risk DeFi has always carried. One protocol’s bridge failure can quickly become another protocol’s lending-market crisis because assets are shared across applications.
Why rsETH Backing Matters
rsETH is supposed to represent restaked ETH exposure. If users lose confidence that every rsETH is properly backed, the token can trade at a discount, lending markets can freeze, and borrowers or depositors can face losses.
That is why the response is not only about Aave. It is about restoring confidence in rsETH, preventing further contagion and showing that large DeFi protocols can coordinate when a shared asset breaks.
DeFi United Has Raised Most of the Needed Capital
Mantle and Aave DAO Are the Largest Contributors
The cross-protocol recovery effort, known as DeFi United, has now raised about $160 million of the roughly $200 million needed to cover the bad debt linked to the exploit.
Mantle and the Aave DAO are the largest contributors so far, with the two together accounting for 55,000 ETH. At recent ETH prices, that contribution represents roughly $127 million of the rescue package.
Other partners have also pledged ETH or staked ETH support, turning the recapitalization into one of DeFi’s most coordinated emergency responses. The effort includes contributions and support from ecosystem participants that may not have been directly responsible for the exploit but still have a strong interest in preventing systemic damage.
A Rescue Fund or a Precedent?
The DeFi United effort shows that decentralized finance can coordinate under pressure. That is the positive reading.
The uncomfortable reading is that DeFi may be developing its own version of emergency bailouts. When a major lending protocol is exposed to bad collateral, the ecosystem has to decide whether the losses should sit with users, the affected protocol, token holders, partner DAOs or a broader group of stakeholders.
That question will not disappear after this incident. If DeFi United succeeds, it may become a template for future crisis response. If it struggles, critics may argue that DeFi remains too fragmented to handle large cross-protocol failures cleanly.
Arbitrum’s Frozen ETH Could Close a Big Part of the Gap
The Constitutional AIP Requests 30,765.67 ETH
Aave Labs, KelpDAO, LayerZero, EtherFi and Compound have filed a Constitutional Arbitrum Improvement Proposal asking Arbitrum DAO to approve the release of 30,765.67 ETH frozen by Arbitrum’s Security Council after the exploit.
The ETH was immobilized after being traced to the attacker. If governance approves the proposal, the funds would be routed into the DeFi United recovery process to help restore rsETH’s backing and reduce losses for affected users.
The proposal would send the ETH to a 2-of-3 Gnosis Safe controlled by Aave, KelpDAO and Certora. That structure is meant to give the recovery effort operational control while adding oversight around how the funds are used.
Governance Will Not Be Instant
The proposal is important, but it is not a quick fix. Because it is a Constitutional AIP, the process is expected to take roughly 49 days.
That creates a timing problem. Aave and its partners are trying to restore confidence now, but a large part of the recovery may depend on a governance process that takes weeks and could still face objections from Arbitrum delegates.
The core question for Arbitrum voters is whether frozen funds linked to the exploiter should be released into a coordinated remediation plan. Supporters will argue that the ETH should help make victims whole. Critics may ask whether the process sets a precedent for how Security Council freezes are handled and who decides where recovered funds go.
What This Means for Aave Users
For Aave users, the good news is that the recovery gap is shrinking. Raising around $160 million toward a roughly $200 million problem is a major step, especially given how quickly the exploit damaged confidence.
The risk is that the final outcome is still not settled. The exact residual bad debt depends on ETH prices, governance approvals, execution of pledges, treatment of recovered funds and how rsETH backing is ultimately restored.
Users should also watch whether Aave changes its collateral onboarding standards after this incident. Restaked assets and cross-chain wrapped assets can be useful, but they also introduce bridge, oracle and backing risks that are harder to manage during stress.
What Comes Next
The first thing to watch is whether DeFi United closes the remaining recapitalization gap. If additional ETH commitments arrive, Aave may be able to reduce uncertainty before the Arbitrum process concludes.
The second key issue is the Arbitrum DAO vote. The release of 30,765.67 ETH could materially improve the recovery math, but delegates will need to weigh victim restitution against governance precedent.
The third signal is Aave’s final accounting of residual bad debt. Until the recovery funds are fully secured, transferred and deployed, the market will continue to treat the rsETH incident as unresolved.
For now, Aave has shown that DeFi can mobilize quickly when a major protocol is under stress. The harder test is whether that coordination can survive governance votes, legal uncertainty and the messy details of making users whole.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or legal advice. Always conduct your own research before making any investment decisions.
