Kelp DAO, Aave to resume rsETH after $292M Lazarus exploit

Kelp DAO and Aave said they will resume rsETH operations after refilling 117,132 rsETH stolen on April 18 and completing initial recovery steps. Kelp plans to move the tokens from the Aave Recovery Guardian and the Kelp Recovery Safe into the LayerZero OFT adapter on mainnet over the next two weeks. Kelp wrote on X: “Kelp will unpause withdrawals, tentatively within 24 hours, after the first tranche to the LayerZero OFT adapter,” and said deposits, redemptions, bridging and claims will resume once the relevant smart contracts are unpaused.

Aave confirmed early parts of its recovery plan are finished, including burning the exploiter's rsETH on Arbitrum. Aave added: “Progressively refilling the LayerZero OFT adapter and reopening rsETH operations will follow over the coming days.” A large portion of the stolen rsETH had been posted as collateral on Aave to borrow WETH, creating roughly $190 million in bad debt for the lending market.

Aave led an industry coordination effort called DeFi United that assembled more than $300 million in ETH to cover losses and stabilize affected platforms. The Arbitrum Security Council froze about $72 million in ETH tied to the exploiter and recommended transferring those funds to the restitution initiative.

Multiple plaintiffs holding terrorism judgments against North Korea filed a court order seeking to claim the frozen Arbitrum ETH as restitution, which temporarily restricted the Arbitrum DAO from moving the recovered assets. Aave LLC filed an emergency motion in federal court, arguing the plaintiffs’ claims relied on unproven speculation about the exploiter’s identity. The court allowed Arbitrum to transfer the frozen ETH to Aave for the recovery effort but barred Aave from selling or otherwise transferring those funds until further court approval.

Kelp implemented security changes to its LayerZero bridging configuration before fully reopening services. The updates require verification by four independent attestors, increase block confirmation requirements from 42 to 64, and remove L2-to-L2 routing options. Kelp said it is migrating to Chainlink’s Cross-Chain Interoperability Protocol (CCIP) from LayerZero.

LayerZero issued an apology and acknowledged it had allowed single-signature deterministic verification node setups that weakened security for high-value transfers. LayerZero said it adjusted its guidance and configuration options after recognizing the risk.

Operations teams for Kelp and Aave are coordinating the phased refills and the technical steps to unpause contracts. Users of rsETH should expect deposits, redemptions and bridging functions to return after the LayerZero OFT adapter receives the first refill and the protocols complete their contract unpause procedures while the legal process over recovered funds continues.