Kelp DAO restores full rsETH functionality five weeks after alleged Lazarus Group attack that left Aave with $190 million in bad debt

Kelp DAO has fully restored rsETH minting, redemption, and bridging functionality more than five weeks after an alleged Lazarus Group attack drained approximately 116,500 rsETH from its cross-chain bridge infrastructure.

The operational recovery marks a significant milestone for the protocol, though Aave, where exploiters deposited stolen collateral, is still managing nearly $190 million in bad debt generated by the attack.

The latest step in the Kelp DAO exploit recovery involved transferring 20,373.7 rsETH into the LayerZero smart contract responsible for handling token minting, locking, burning, and release functions during cross-chain transactions.

With the transfer complete, Kelp DAO stated that rsETH minting, redemption, reward distribution, and bridging services are now functioning normally again across supported blockchain networks.

The recovery marks a significant moment for the protocol after the Kelp DAO exploit triggered widespread concerns about bridge security, decentralized lending exposure, and the growing sophistication of state-linked cyberattacks targeting crypto infrastructure.

Lazarus Group allegedly linked to attack

Investigators and blockchain analytics firms previously linked the Kelp DAO exploit to North Korea’s Lazarus Group, the cybercrime organization frequently accused of orchestrating several of the crypto industry’s largest hacks.

The attack quickly became one of the most closely watched DeFi security incidents of 2026 due to both the scale of the losses and its cascading impact across interconnected lending protocols.

According to prior disclosures, the Kelp DAO exploit resulted in approximately $293 million in losses tied to rsETH assets and cross-chain liquidity exposure.

The protocol initially reopened withdrawals and resumed rsETH bridging operations in mid-May after deploying an earlier recovery tranche of 25,000 rsETH.

The latest transfer now completes the final operational requirement needed to restore full token backing after the Kelp DAO exploit disrupted the protocol’s infrastructure.

DeFi protocols coordinated recovery effort

Part of the assets used during the Kelp DAO exploit recovery process came through the DeFi United initiative, a coordinated support mechanism involving multiple decentralized finance protocols.

The initiative emerged after the attack as ecosystem participants attempted to stabilize rsETH markets and reduce broader systemic contagion across DeFi lending infrastructure.

The collaborative response highlighted how increasingly interconnected decentralized finance platforms have become.

Unlike isolated exchange hacks from earlier crypto cycles, the Kelp DAO exploit spread financial stress across multiple protocols due to the role rsETH played as collateral within lending markets.

Industry analysts say the incident demonstrates both the strengths and vulnerabilities of composable decentralized finance architecture.

On one hand, protocols coordinated rapidly to contain damage. On the other, the Kelp DAO exploit showed how vulnerabilities inside one bridge system can ripple through an entire ecosystem.

Aave still managing the fallout

Although Kelp DAO has restored operational functionality, the financial consequences of the Kelp DAO exploit continue affecting lending protocol Aave.

Following the attack, exploiters reportedly deposited significant amounts of stolen rsETH into Aave as collateral before borrowing wrapped Ether against those positions.

Governance filings and court documents later suggested the incident generated nearly $190 million in bad debt across affected Aave markets.

According to DefiLlama data referenced in governance discussions, Aave’s total value locked fell from more than $26 billion to below $14 billion in the aftermath of the Kelp DAO exploit as users withdrew liquidity from lending pools.

Although outflows have stabilized somewhat in recent weeks, Aave’s TVL has largely remained rangebound between approximately $13.9 billion and $15.1 billion.

Lending functions gradually resume

Despite ongoing fallout from the Kelp DAO exploit, some lending functionality has gradually resumed across Aave’s ecosystem.

On May 18, Stani Kulechov, founder of Aave, confirmed that borrowing against wrapped Ether collateral had restarted across several Aave V3 deployments, including Ethereum, Arbitrum, Base, Mantle, and Linea.

The resumption followed emergency governance measures implemented after the Kelp DAO exploit allowed unbacked rsETH to enter lending markets.

Governance participants had temporarily restricted certain protocol activities to contain systemic risks and prevent additional contagion.

The cautious reopening reflects a broader shift within decentralized finance toward more conservative risk management following multiple large-scale exploits across recent years.

Legal disputes continue over frozen assets

The Kelp DAO exploit has also triggered an increasingly complex legal battle surrounding frozen assets connected to the incident.

Court filings previously revealed that approximately 30,765 ETH — valued at roughly $71 million when frozen by the Arbitrum Security Council on April 21 — became the subject of competing legal claims.

Law firm Gerstein Harrow LLP, representing families pursuing terrorism-related judgments against North Korea, argued that the frozen Ether could potentially qualify as property connected to Lazarus Group activity.

Aave has challenged those claims in court filings, arguing that no court has formally determined North Korea or Lazarus Group carried out the Kelp DAO exploit.

The protocol further stated that the frozen assets belong to affected users rather than foreign state actors.

The dispute highlights the increasingly blurred intersection between decentralized finance, cybersecurity, and international law enforcement.

Kelp DAO moves away from LayerZero infrastructure

The Kelp DAO exploit also intensified tensions between Kelp DAO and cross-chain interoperability provider LayerZero.

Earlier this month, Kelp DAO announced plans to migrate rsETH bridge infrastructure away from LayerZero’s OFT framework and toward Chainlink’s Cross-Chain Interoperability Protocol (CCIP).

Kelp DAO stated the migration forms part of broader efforts to strengthen bridge security after the exploit exposed weaknesses in existing cross-chain infrastructure configurations.

However, Bryan Pellegrino, co-founder and CEO of LayerZero, publicly disputed several claims made by Kelp DAO regarding bridge approvals and security settings tied to the incident.

The disagreement underscores how accountability disputes often emerge after major DeFi exploits, particularly when multiple infrastructure providers are involved.

DeFi security faces another critical test

The Kelp DAO exploit has once again exposed the persistent security risks surrounding cross-chain bridges and composable DeFi systems.

While the successful restoration of rsETH functionality marks progress, the broader ecosystem is still dealing with financial losses, legal uncertainty, governance restructuring, and shaken investor confidence.