Key Takeaways:
Kelp DAO has completed its recovery plan following a $292 million exploit, finishing the replenishment of roughly 116,500 rsETH to its cross-chain bridge on May 25 after the protocol was drained by attackers on April 18.
"The final tranche of 20,373.72 rsETH has been sent to the rsETH OFT adapter earlier today," Kelp DAO said in a statement. "This closes the operational part of the rsETH recovery plan."
The exploit targeted Kelp’s LayerZero OFT adapter, a bridge contract used for cross-chain transfers, where attackers used a forged packet to release the funds. The incident created a cascade effect, with the attacker depositing the unbacked rsETH on the Aave lending protocol to borrow other assets, resulting in bad debt and forcing Aave to temporarily halt WETH borrowing.
The recovery closes a chapter on one of the largest DeFi hacks of 2026, which have collectively drained over $840 million from the sector in five months. The incident has forced a security re-evaluation across the industry, with Kelp moving to adopt Chainlink’s more secure CCIP bridge infrastructure and LayerZero tightening controls around single-signer configurations that were the root of the vulnerability.
The April 18 attack was attributed by security researchers to the North Korea-linked group TraderTraitor, also known as UNC4899. According to a post-mortem report from LayerZero, the attack vector involved social engineering and compromised RPC nodes, allowing the attackers to exploit a 1-of-1 DVN (Decentralized Verifier Network) configuration in Kelp's bridge setup. This meant a single compromised verifier could authorize a malicious transaction.
The fallout was immediate and widespread. The attacker bridged the approximately 116,500 rsETH to Ethereum mainnet and used it as collateral on Aave to borrow WETH, turning a bridge failure into a systemic DeFi lending crisis. Data from Aave shows its Total Value Locked (TVL) fell by more than $8 billion in the aftermath of the event.
The response involved a multi-pronged effort from Kelp, Aave, and other industry partners. A relief initiative dubbed “DeFi United” raised 132,650 ETH, worth about $303 million, to backstop the bad debt created on Aave.
Kelp’s operational recovery focused on methodically refilling the LayerZero OFT adapter contract to restore the 1-to-1 backing of rsETH. With the final tranche now sent, the protocol has confirmed that minting, redemptions, and rewards have returned to normal operations. Aave has subsequently re-enabled WETH borrowing against collateral on its V3 deployments across Ethereum, Arbitrum, Base, and other networks.
For the broader DeFi sector, the event serves as a costly lesson on the architectural risks of cross-chain bridges, which remain a primary target for attackers. According to TRM Labs, North Korea-linked actors accounted for 76% of global crypto hack losses in the first four months of 2026, up from 64% in 2025, highlighting the persistent and evolving threat from state-sponsored groups.
This article is for informational purposes only and does not constitute investment advice.
