News linked to both this project and an event.
Kelp DAO released a community update on X, noting that the recent rsETH security incident has remained tense over the past several days. However, with support from partners and the broader community, discussions are progressing in a positive direction, and efforts to identify an appropriate resolution are being accelerated. The guiding principles have already been reflected in initial actions, and subsequent updates will continue along this path, aiming for a win-win outcome for all stakeholders. Over the past four days, the Kelp team has engaged in in-depth communication with partners and other relevant parties. Specific progress includes: the Arbitrum Security Council has taken measures to freeze the stolen funds, and the SEAL 911 emergency response team has swiftly stepped in to conduct preliminary investigations, providing a clear and objective analytical perspective on the incident. While some developments have not yet been fully disclosed, related work continues to advance steadily. Kelp DAO stated that its current priority is safeguarding user assets and strengthening the protocol itself. This incident is also viewed as a critical test—not only for the project but for the broader DeFi ecosystem—and key follow-up developments will continue to be shared via official channels.
According to on-chain analyst Ember (@EmberCN), the rsETH incident on April 18 resulted in a funding shortfall of approximately 68,900 ETH (around $160 million): the hacker collateralized rsETH to borrow 99,600 ETH; after Arbitrum recovered 30,700 ETH, the remaining funds were fully converted by the hacker into BTC. The incident has now entered the remediation phase. Aave is coordinating the establishment of a “DeFi United” relief fund, which has so far received cumulative donations totaling 13,500 ETH (approximately $31.45 million). Donors include Lido Finance (2,500 stETH), ether.fi Foundation (5,000 ETH), Aave founder Stani Kulechov (5,000 ETH), Golem Foundation (1,000 ETH), as well as LayerZero and Ink Foundation (amounts undisclosed).
Aave released the latest update on the rsETH security incident on the X platform, announcing that it has paused rsETH reserve-related operations on the Ethereum mainnet as well as networks including Arbitrum, Base, Mantle, and Linea. This measure is intended to prevent excess aETHrsETH from being withdrawn, thereby pushing positions close to the 95% liquidation threshold. This action aims to preserve as much capital as possible and reduce systemic risk while the asset recovery plan is underway. Aave stated that further progress and resolution plans will be continuously disclosed to the community.
Aave announced the latest developments regarding the rsETH security incident on X, stating that rsETH-related reserve operations have been suspended on Ethereum Mainnet and on networks including Arbitrum, Base, Mantle, and Linea. This measure aims to preserve as much capital as possible and mitigate systemic risk while the asset recovery plan is underway. Aave stated that it will continue to disclose subsequent updates and resolution plans to the community.
According to on-chain analyst PeckShield (@PeckShieldAlert), the KelpDAO attacker has transferred ETH from Ethereum to Arbitrum via the Across Protocol, swapped it for USDT, and then routed the funds to TRON DAO via LayerZero.
According to on-chain analyst Specter (@SpecterAnalyst), the North Korean hacking group TraderTraitor began laundering stolen funds from KelpDAO at approximately 3 a.m. Beijing time today—just three hours after the Arbitrum Council froze 30.7 ETH (approximately $71 million). The attackers split the remaining funds across three wallets, holding roughly 25,000 ETH (~$57.6 million), 25,700 ETH (~$59.2 million), and 25,000 ETH (~$57.9 million), respectively. The third wallet immediately initiated laundering operations and now holds only about 3,800 ETH (~$8 million). The majority of the funds were bridged to the Bitcoin network via THORChain, with approximately 99% flowing through this protocol. As a result, THORChain’s daily trading volume surged to $211 million—more than ten times its 30-day average—and generated roughly $189,000 in fees. During this laundering process, the illicit proceeds were also commingled with funds stolen in the BTC Turk (2025) and Bybit (2025) hacks. To date, approximately 442 BTC (~$33 million) linked to these incidents have been traced on the Bitcoin network, and over 400 addresses have been utilized throughout the entire laundering operation.
Odaily News KelpDAO stated in a post on X platform that it will continue to explore all feasible avenues to support rsETH holders and mitigate the impact of the related security incident on the DeFi ecosystem.It mentioned that over the past two days, the team has collaborated with the Arbitrum Security Council and multiple ecosystem participants, providing context on the incident and assisting with the assessment efforts, while also expressing gratitude for the coordination and support from teams like SEAL 911. Previously, the Arbitrum Security Council had frozen approximately 30,700 ETH, involving assets related to the KelpDAO attacker.
Odaily News According to on-chain analyst Yu Jin's monitoring, the Arbitrum chain project team has frozen the 30,766 ETH ($70.97 million) that the KelpDAO hacker had placed on the Arbitrum chain. Through technical means, they transferred these 30,766 ETH from the hacker's wallet to the address 0x0000000000000000000000000000000000000da0, which is controlled by the Arbitrum chain. After the recovery of these 30,766 ETH, the hacker still holds 75,700 ETH ($175 million) on the Ethereum chain.
According to an official Arbitrum announcement, the Arbitrum Security Council took emergency action at 11:26 PM ET on April 20, successfully freezing and transferring 30,766 ETH held at addresses associated with the KelpDAO vulnerability. This operation was conducted with assistance from law enforcement agencies, and the funds have been moved to an intermediate frozen wallet—rendering the original addresses unable to access the funds. The subsequent disposition of these funds will be coordinated by the Arbitrum governance mechanism in collaboration with relevant stakeholders. The Security Council stated that the entire operation had no impact whatsoever on any other on-chain state or Arbitrum users.
Aave risk service provider LlamaRisk has released an incident report: On April 18, 2026, the attacker exploited a vulnerability in Kelp’s LayerZero V2 Unichain-to-Ethereum rsETH routing (a 1-of-1 DVN configuration flaw), forged inbound packets, and illicitly released 116,500 rsETH from the Ethereum-side adapter. Of these, 89,567 rsETH were deposited as collateral into multiple Aave V3 markets—including Ethereum Core and Arbitrum—enabling the borrowing of approximately 82,650 WETH (valued at ~$191 million) and 821 wstETH. Currently, only 40,373 rsETH remain in the adapter, while the total claimable rsETH on the remote chain stands at 152,577—creating a substantial shortfall. Depending on the loss allocation methodology, Aave faces two potential bad-debt scenarios: - Scenario 1 (global pro-rata allocation): Estimated bad debt of ~$123.7 million, with Ethereum Core bearing the greatest pressure; - Scenario 2 (loss confined to L2s): Estimated bad debt of ~$230.1 million, with Mantle facing a WETH reserve shortfall of up to 71.45% and Arbitrum facing a 26.67% shortfall. Following the incident, Aave Protocol Guardians and Risk Administrators immediately froze rsETH/wrsETH reserves across all 11 affected markets.
According to monetsupply.eth, Spark’s Strategy Lead, in a post on X, Spark has long maintained a relatively high borrowing interest rate cap for its SparkLend ETH market. Although this policy caused many users to migrate to Aave—resulting in substantial loss of business and revenue—the current market liquidity crisis has validated the prudence of this strategy. Presently, Aave is experiencing severe liquidity shortages across multiple chains—including Ethereum Mainnet, Arbitrum, Polygon Plasma, Mantle, and Base—with ETH borrowing utilization reaching 100%. This has prevented depositors from withdrawing funds and hindered normal liquidation of ETH collateral. He warns that if the current liquidity crunch persists, a 15–20% drop in ETH’s price could expose Aave to widespread bad debt—compounded by the potential impact of the rsETH vulnerability incident.
According to a post by 0xngmi, founder of DefiLlama, following the hack of KelpDAO, Aave is facing severe pressure in handling bad debt. Currently, there are three potential solutions: First, socializing the loss across all users—this would result in an 18.5% impairment for users, generating approximately $216 million in bad debt. Aave’s Umbrella Insurance could cover $55 million, and the treasury could contribute an additional $85 million, leaving a shortfall of roughly $76 million. Second, executing a “rug pull” on rsETH holders on L2 chains—this would generate approximately $341 million in bad debt, with Arbitrum, Mantle, and Base markets suffering the heaviest losses. Third, returning assets to holders based on a pre-attack snapshot—but this approach is extremely operationally challenging, and even after Umbrella Insurance coverage, an estimated $91 million in losses would remain. Additionally, some suggest confiscating the hacker’s collateral to offset part of the bad debt. Meanwhile, Aave’s OG Security Module still holds approximately $300 million worth of AAVE tokens; applying a 20% reduction would provide an additional ~$60 million in loss coverage.
According to an official disclosure by Hyperbridge, the losses from the Token Gateway vulnerability incident on April 13 have been revised upward from an initial estimate of $237,000 to approximately $2.5 million. The increase stems primarily from losses incurred in incentive pools on Ethereum, Base, BNB Chain, and Arbitrum. The attacker extracted roughly 245 ETH from related contracts, then bypassed the MMR proof verification mechanism by forging cross-chain messages, minting 1 billion bridged DOT tokens and dumping them onto illiquid markets. Currently, some of the stolen funds have been traced on-chain to Binance. Hyperbridge is collaborating with Binance’s compliance team and law enforcement agencies to investigate the incident. Polkadot-native DOT and products such as Intent Gateway remain unaffected. The Token Gateway and bridged DOT contracts on the four affected EVM chains remain suspended. An external audit of the patched MMR verification logic is underway, and bridging functionality will be restored upon completion of the audit.