DeFi United Unveils Restoration Plan for Kelp DAO's $292M rsETH Exploit

DeFi United, a coalition of DeFi ecosystem participants, has published a technical plan to restore full backing for Kelp DAO’s rsETH following a $292 million exploit on April 18, according to The Block. The exploit, widely attributed to North Korea’s Lazarus Group, targeted Kelp DAO’s rsETH bridge with a forged message, allowing the attacker to mint 116,500 unbacked rsETH tokens. Around 107,000 rsETH ended up in lending positions across Aave, resulting in substantial bad debt on the protocol.

DeFi United Coalition Formation

Led by Aave, dozens of DeFi protocols contributed funds to the DeFi United initiative to mitigate the wider industry impact, raising over $300 million in ETH commitments, according to The Block. As the initiative gathered sufficient ETH commitments, Aave announced that DeFi United is ready to launch the restoration process.

Three-Phase Restoration Process

The restoration plan consists of three coordinated phases designed to restore rsETH without socializing losses across the ecosystem.

Phase 1: ETH-to-rsETH Conversion

“The restoration process involves converting the committed ETH into rsETH in tranches, which will then be transferred to the affected lockbox contract, allowing the bridge to securely resume full operation,” the coalition said in a statement. The plan is subject to obtaining relevant governance approvals, execution timelines, and execution of definitive agreements, according to the statement.

Phase 2: Liquidation of Affected Positions

In parallel with the rsETH restoration, the recovery plan aims to clear the eight affected positions across the markets on Aave Ethereum Core and Arbitrum, which is a necessary step to recover roughly 13,000 ETH in funds on Aave. This process involves a controlled liquidation sequence, in which the rsETH oracle price will be temporarily adjusted to allow efficient liquidation of the eight affected positions. The liquidated rsETH collateral would be moved to a DeFi United-controlled multisig, redeemed for ETH through KelpDAO, and subsequently used to repay any temporary deficits created in the Aave markets.

Compound, which was also affected by the exploit, is expected to take a similar step to clear the attacker’s position. This would recover approximately 16,776 ETH worth of funds.

Phase 3: Unpausing and Restoring Configurations

“This final phase of the restoration process involves unpausing and unfreezing rsETH and ETH across all affected instances, and restoring the Loan-to-Value (LTV) ratios for ETH and any other assets whose configurations were temporarily adjusted,” the statement added.

Key Risks and Contingencies

The plan, designed to restore rsETH without socializing losses, does carry risks. A key concern is that deployment of the restoration plan is contingent on finalizing agreements and obtaining governance approvals, during which the attacker could attempt to interfere. “Deliberate interference by the attacker could result in incomplete deficit accrual, requiring additional liquidation steps to fully resolve the positions,” the statement said.

Additionally, new security measures on LayerZero and Kelp DAO following the exploit remain “in production,” meaning they have not yet been battle-tested, and security risks may remain. The statement explained that this is why the ETH-to-rsETH conversion and lockbox deposits will be carried out in several tranches.

“The successful coordinated execution of these steps as planned ensures that rsETH backing is fully restored, and all affected markets are stabilized,” the statement said. “Progress will be communicated publicly as recovery efforts advance.”