News linked to both this project and an event.
Wasabi Protocol released a security incident update, stating that the attacker exploited a Spring Boot Actuator configuration vulnerability in its AWS infrastructure to steal private keys controlling EVM smart contracts, and subsequently drained approximately $4.8 million in user funds and $900,000 from the protocol’s treasury—totaling roughly $5.7 million in losses. The attack chain originated from a public-facing analysis server whose Actuator heap dump was not properly password-protected, enabling the attacker to obtain credentials for another server and ultimately gain control of the smart contract private keys. This incident affected only EVM deployments—including certain treasuries on Ethereum, Base, Blast, and Berachain—while Solana deployments and the Prop AMM remained unaffected. No final user compensation plan has been announced yet; however, “ensuring all affected users are compensated” remains the team’s top priority. Updates on the investigation will be shared with the community via Discord.
Odaily News: Margaret Garnett, a U.S. District Judge in Manhattan, has approved Aave's asset recovery proposal, allowing the transfer of approximately $71 million in ETH previously frozen on Arbitrum and linked to North Korean-linked attacks, to a wallet controlled by Aave LLC, while preserving the legal claims of terrorism victim plaintiffs over the funds. The ruling also amended the earlier freeze notice against the Arbitrum DAO, permitting the transfer to be executed through an on-chain governance vote and exempting those who propose, vote on, or participate in the transfer from liability under the freeze order. The transfer is still subject to an official vote by Arbitrum's on-chain governance. (CoinDesk)
Odaily Odaily: Aave posted on the X platform stating that the second phase of the technical solution for the rsETH incident recovery has progressed. On May 6, eight positions of the hacker on Aave V3 were liquidated, and the recovered rsETH collateral has been transferred to the recovery guardian. The Arbitrum DAO has passed a proposal to return the previously recovered $71 million in ETH.Regarding the application for asset freezing filed by the plaintiff, the judge has approved Aave LLC's proposal, allowing the transfer of the $71 million in ETH to Aave LLC through an on-chain vote by the Arbitrum DAO. Subsequent plans include burning rsETH on Arbitrum and restoring the rsETH reserve. After the reserve is restored, withdrawals will be reopened, and the WETH Loan-to-Value (LTV) ratio on the Aave V3 Ethereum mainnet will be restored.
The Mantle community has approved proposal MIP-34, authorizing the Mantle Treasury to extend a loan of up to 30,000 ETH to the Aave DAO to address the non-performing loan impact on Aave V3 resulting from the rsETH cross-chain bridge security incident on April 18, 2026. Per the proposal, the loan term is up to 36 months, with an annual interest rate of LIDO + 1%; the borrower may repay early without penalty. Regarding risk control, Mantle will hold a first-priority security interest in the relevant collateral assets. Additionally, Aave will provide supplementary collateral comprising no less than $11 million worth of AAVE tokens and protocol revenue, and delegate 130,000 AAVE tokens to Mantle for governance participation.
According to The Block, the Arbitrum DAO voted to release 30,765.6 ETH (approximately $70 million), previously frozen, to support the DeFi United initiative—aimed at offsetting Kelp DAO’s $292 million exploit loss last month. The vote passed with 90.96% support (182.2 million votes). The attack was allegedly carried out by the North Korean Lazarus hacking group, which exploited a vulnerability in LayerZero’s OFT cross-chain bridge—a single-validator configuration—which allowed attackers to steal 116,500 rsETH and pledge most of the stolen assets as collateral on Aave, resulting in roughly $190 million in bad debt. DeFi United has secured contributions from multiple parties, including 30,000 ETH from Consensys and Joseph Lubin, a 30,000-ETH loan from Mantle, and 5,000 ETH from LayerZero.
According to CoinDesk, Ethereum co-founder Vitalik Buterin was sandwiched by the well-known MEV bot jaredfromsubway.eth on April 30 during a small token swap. On-chain data shows that Buterin exchanged 26,544 XDB tokens—valued at approximately $3.86—for 0.00197 ETH (worth about $4.56) in block 24993038. The bot then deployed roughly $1.14 million worth of WETH to manipulate prices across SushiSwap and Uniswap V2 to execute the sandwich attack. After deducting $5.14 in gas fees, the bot incurred an actual loss on this operation.
According to PeckShieldAlert’s monitoring, TrustedVolumes was attacked, resulting in losses of approximately $5.9 million, including $3.02 million in ETH, $1.37 million in WBTC, and $1.47 million in stablecoins; the attacker has exchanged the stolen funds for 2,513 ETH.
Aave stated that, per the previously disclosed technical recovery plan, the attacker’s rsETH positions on Ethereum and Arbitrum have been liquidated on Aave, and the associated collateral assets have now been transferred to the Recovery Guardian address designated by the AIP. Aave noted that this action did not impact other users, nor did it affect the Umbrella mechanism, and emphasized that this step is a critical milestone in the overall recovery roadmap, with further recovery efforts continuing as planned.
Aave has announced the completion of the liquidation of the remaining rsETH position belonging to the Kelp DAO attacker. The related collateral assets will be transferred to the Recovery Guardian multi-signature wallet managed by DeFi United, to be used for restoring rsETH reserves and compensating affected users.This liquidation is part of the recovery plan following the previous $292 million attack incident. Aave had previously passed a governance vote to temporarily adjust the rsETH oracle price in order to create bad debt in the attacker's position and trigger liquidation. The relevant parameters will be restored upon completion of the liquidation. Previously, the attacker exploited the Kelp DAO cross-chain bridge based on LayerZero to forge 116,500 unbacked rsETH and borrowed ETH from protocols such as Aave and Compound. Currently, the recovery funds managed by DeFi United have exceeded $320 million.
According to security firm Blockaid (@blockaid_), Ekubo Protocol’s v2 custom extension contract on Ethereum is under an ongoing attack, resulting in losses of approximately $1.4 million so far. The root cause lies in the IPayer.pay callback within this extension, which fails to properly restrict the origin of its parameters—enabling attackers to control the payer, token, and amount parameters and thereby arbitrarily transfer authorized tokens. Users of Ekubo’s core protocol remain unaffected; however, users who have authorized the v2 contract (0x8CCB1ffD5C2aa6Bd926473425Dea4c8c15DE60fd) as a token spender face direct risk. Blockaid recommends that affected users immediately revoke their approvals.
According to monitoring by on-chain analyst Specter, the Wasabi Protocol attacker has deposited all stolen funds into Tornado Cash, moving approximately $5.9 million into Tornado Cash. Additionally, North Korean hacking groups have also used Tornado Cash to launder stolen funds from KelpDAO and LayerZero. Their process involved first cross-chaining the assets to Bitcoin, then routing them through Wasabi Mixer, extracting and cross-chaining back to Ethereum, depositing into Tornado Cash, subsequently withdrawing to new wallets and dispersing across multiple addresses. The new wallets then deployed tokens, used the stolen funds to buy in, removed liquidity from the deployment wallet, cross-chained to Tron (USDT), held for several hours or days, and finally sent to OTC-related wallets.
According to Cointelegraph, DeFi protocol Aave filed an emergency motion in New York on Monday seeking to vacate a restraining notice issued by U.S. law firm Gerstein Harrow LLP, which prevents the Arbitrum DAO from transferring 30,766 ETH to victims of the Kelp exploit. Gerstein Harrow LLP served the restraining notice on the Arbitrum DAO last Friday, asserting that its client is entitled to over $877 million in damages under a default judgment against North Korea. The firm claims that the North Korean hacking group behind the April 18 Kelp exploit previously held these tokens and that its client therefore holds a legal claim to the relevant ETH.
the Compound Foundation stated on X platform that, in coordination with the Kelp and Aave teams, and to avoid disrupting broader DeFi recovery efforts, the Comet markets for WETH and wstETH on Ethereum have resumed trading. It also noted that depending on the specific timing of Kelp's thawing of rsETH, temporary suspensions may still occur in relevant markets during the liquidation window for vulnerability-related positions. Specific arrangements have yet to be determined.
Aave LLC has submitted an emergency motion requesting the dismissal of the asset freeze notice issued against ArbitrumDAO on May 1, 2026. The notice involves approximately $71 million worth of ETH, assets belonging to users affected by the attack on April 18. Aave stated that stolen assets do not grant legal ownership through theft, and the relevant funds were originally intended for restitution to affected users; the freeze instead hinders the compensation process.Aave has requested an emergency hearing from the court to temporarily lift the freeze measure, while stating that it will continue to collaborate with the Arbitrum community and DeFiUnited to advance user compensation efforts.
According to Cointelegraph, U.S. law firm Gerstein Harrow LLP has filed an application with the U.S. District Court for the Southern District of New York seeking a temporary restraining order and three writs of execution to prevent the Arbitrum DAO from transferring 30,766 ETH (valued at approximately $73 million) frozen following the Kelp vulnerability. The firm argues that its clients obtained default judgments against North Korea in U.S. courts in 2010, 2015, and 2016, entitling them to roughly $877 million in compensation—and contends that the stolen ETH constitutes North Korean-linked assets that should be used to satisfy those judgments. Kelp DAO suffered a $292 million hack on April 18; the attacker was identified as TraderTraitor, a subgroup of the North Korean state-sponsored hacking group Lazarus Group. Aave Labs previously proposed unfreezing the seized funds and transferring them into the “DeFi United” fund to compensate rsETH holders—but this legal action by Gerstein Harrow may significantly delay compensation for victims. Members of the Arbitrum DAO community have criticized the move, arguing it shifts the burden of North Korea’s debts onto another set of victims, thereby exacerbating the original harm. Gerstein Harrow had previously pursued litigation related to the 2023 Heco Bridge hack involving Teth
Odaily Odaily PaperImperium, the head of MegaETH, disclosed on X platform that documents from the U.S. District Court for the Southern District of New York show that a U.S. court has issued an injunction against the Arbitrum DAO, prohibiting it from transferring approximately $71 million in ETH assets that were previously frozen during the KelpDAO hacking incident. In response, on-chain detective ZachXBT posted on X platform, stating that certain U.S. law firms are using his investigative work and on-chain forensics to help victims of some hacking incidents file legal claims. However, this practice may actually slow down or hinder victims from receiving compensation or recovering funds.ZachXBT added that in previous hacking incidents involving the Lazarus Group, such law firms often stepped in after on-chain fund tracking or freezing was completed, proposing subsequent legal actions that were weakly related to the crypto incidents themselves. Similar "free-riding claims" strategies were used in events like Harmony and Bybit. He called on the crypto community to establish a DAO to resist such practices.
: MegaETH lead PaperImperium disclosed on X platform a court document from the U.S. District Court for the Southern District of New York, showing that a U.S. court has issued an injunction against the Arbitrum DAO, prohibiting it from transferring approximately $71 million worth of ETH assets that were previously frozen in the KelpDAO hacking incident. The plaintiffs are attempting to use these funds to enforce outstanding judgment compensation in cases related to North Korea's involvement in terrorism, kidnapping, and other matters spanning several years. They have also filed a motion to serve legal notice to the Arbitrum DAO via alternative means, treating it as an accountable "partnership." The court document further notes that the Arbitrum DAO has a Security Council governed by ARB holders, which has the authority to take action in emergencies. As a result, relevant members who refuse to comply may face legal consequences such as contempt of court. Market observers believe that this case could set an important precedent for the U.S. judicial system to directly constrain DAO governance structures, further highlighting the compliance pressure faced by DeFi protocols under real-world legal frameworks.
According to Cointelegraph, the Arbitrum Committee voted to unfreeze $71 million worth of Ethereum to mitigate the $290 million loss caused by the Kelp DAO vulnerability.
According to the anonymous on-chain detective Wazz, hundreds of wallets on the ETH mainnet have been drained by the same address, with several of these wallets remaining inactive for over 7 years. The incident is suspected to be a novel real-time exploit attack. Crypto user Capitulation commented, suggesting that the most likely vulnerability stems from storing seed phrases in LastPass secure notes during 2020/21.
: Arbitrum DAO has initiated a governance vote to release the previously frozen 30,766 ETH to support DeFi United, a recovery plan following the Kelp DAO attack.These assets, worth approximately $71.1 million, were frozen by the Arbitrum Security Council on April 20. They were originally funds transferred to the Arbitrum network by the attacker. If the proposal passes, it will become the largest single source of funding for the DeFi United plan.In the early stage of voting, 16.9 million ARB have already been cast in support. Currently, there are no opposing votes. The voting is set to continue until May 7.