#rsETHAttackUpdate
Six days after the largest DeFi hack of 2026, the rsETH crisis has entered its most critical recovery phase. The attack is contained. The bleeding has stopped. But the full resolution covering bad debt distribution, rsETH peg restoration, and multi-chain fund recovery is still actively unfolding as of this morning. Here is everything confirmed today.
Attack Summary What Happened on April 18
On April 18, 2026 at 17:35 UTC, an attacker exploited KelpDAO's LayerZero V2 bridge between Unichain and Ethereum mainnet. The bridge was configured with a catastrophically weak 1-of-1 DVN meaning a single validator node operated by LayerZero Labs had full authority to approve cross-chain messages with zero independent verification. The attacker poisoned the RPC infrastructure used by LayerZero's DVN DDoSing legitimate nodes to force failover onto compromised ones then spoofed a valid cross-chain message that tricked the bridge into minting 116,500 unbacked rsETH tokens directly to attacker-controlled addresses. Those tokens were immediately deposited into Aave V3 as collateral, allowing the attacker to borrow large amounts of real WETH against completely fictitious backing. Total damage: 292 million USDT the largest DeFi exploit of 2026.
Recovery Progress What Has Been Confirmed Today
Recovery is moving but remains incomplete. The Arbitrum Security Council has now recovered approximately 70 million USDT in ETH tied to the attack an increase from the 30,766 ETH figure reported earlier this week. Those funds remain in an intermediary wallet pending governance decision on distribution methodology. However, a large share of the stolen assets has already been moved through THORChain, significantly complicating full recovery. KelpDAO's multisig froze core contracts shortly after the exploit was identified, which successfully blocked a second attempted theft worth approximately 95 million USDT confirming that emergency response mechanisms activated correctly after the initial breach. The overall recovery rate remains well below 50% of total stolen funds as of April 24.
DeFi United Industry Coalition Forms
The most significant development today is the formal expansion of the DeFi United recovery initiative a coordinated industry-wide rescue effort led by Aave to stabilize rsETH backing and eliminate bad debt across affected lending platforms. Confirmed contributions as of April 24 include Aave founder Stani Kulechov personally committing 5,000 ETH from his own capital, stating: "Aave is my life's work and we're working nonstop to find the best possible outcome for users." EtherFi governance received overwhelming approval from 1,800 token holders, greenlighting a contribution of up to 5,000 ETH from its DAO treasury. Lido Finance has committed up to 2,500 stETH exclusively to address the rsETH backing gap. Golem Foundation and Golem Factory combined contributed 1,000 ETH from their treasuries. LayerZero has also proposed a contribution toward restoring rsETH backing, stating it has been closely coordinating with Aave, EtherFi, Ethena, Arbitrum, and Kelp throughout the process. Tydro, Ink Foundation, and Mantle have all joined the coalition with Mantle proposing a large structured loan to support Aave's liquidity position. Within one week, a comprehensive roadmap detailing all involved entities and fund distribution methodologies is expected to be published.
Aave Official Response Reserve Freeze Status
Aave's Guardian initiated emergency freezes on rsETH and wrsETH markets across all deployments within 77 minutes of the initial exploit at 18:52 UTC on April 18. As of April 24, rsETH reserves remain paused across Ethereum Core, Arbitrum, Base, Mantle, and Linea with Aave explicitly stating the extended pause is designed to facilitate maximum fund recovery as resolution plans progress. Aave governance has disabled rsETH markets across both V3 and V4 deployments. All other Aave pools remain fully safe and operational the incident is scoped exclusively to rsETH and does not reflect any vulnerability in the Aave protocol itself.
Broader DeFi Contagion The Full Damage Picture
The contagion extended well beyond KelpDAO. Aave saw 6,200 million USDT in net outflows a 23% reduction. Morpho lost 716 million USDT down 9%. Sky protocol lost 272 million USDT down 4%. JupLend lost 76 million USDT down 8%. Total DeFi TVL dropped approximately 10 billion USDT immediately following the attack, with JPMorgan estimating broader ecosystem impact at 20 billion USDT. Lido suspended its EarnETH product which had approximately 9% of its TVL directly exposed to KelpDAO's rsETH and deployed a 3 million USDT liquidity buffer while processing withdrawals for pre-incident requests at pre-attack valuations. DVV, GGV, and EarnUSD from Lido confirmed zero direct rsETH exposure and continued operating normally. SparkLend and Fluid both implemented emergency pauses on rsETH exposure. Utilization-driven interest rates spiked across multiple lending platforms, forcing borrower deleveraging and portfolio adjustments throughout the ecosystem.
User Funds Current Status by Position Type
The safety of user funds depends entirely on which product and chain they held exposure through.
Ethereum mainnet rsETH holders backed by legitimate EigenLayer staking deposits retain their underlying backing EigenLayer delegations were confirmed fully intact and were never compromised. Aave users with non-rsETH positions across all pools are fully safe and unaffected. Users holding wrapped rsETH on Layer 2 networks face genuine uncertainty the bridge reserve backing those tokens is broken, and loss distribution across chains has not yet been formally determined. Users who filed EarnETH withdrawals before the liquidity crunch will be redeemed at pre-incident valuations. Later withdrawal requests will be processed after liquidity conditions normalize. The official guidance from every affected protocol remains unchanged: do not interact with rsETH on any chain until formal resolution is announced.
Security Patch What Changed
The 1-of-1 DVN configuration that enabled this attack has been identified as the definitive root vulnerability and will not appear in any future KelpDAO or LayerZero deployments. LayerZero acknowledged that it had recommended multi-DVN configurations to KelpDAO prior to the exploit but that its protocol still permitted 1-of-1 deployments a gap it is now addressing at the protocol level. On-chain security researcher banteg publicly identified that multiple other projects still operated 1-of-1 bridge configurations as of April 19 including several on Arbitrum, Base, and BSC triggering urgent security reviews across the DeFi ecosystem. A minimum 2-of-3 multi-DVN verification standard is now being adopted as the industry baseline across all high-value bridge deployments.
Investor Sentiment Fear or Opportunity
Market sentiment around rsETH specifically remains deeply negative and will stay that way until the DeFi United recovery roadmap is formally published and bad debt distribution is confirmed. However, the broader DeFi sector is showing early signs of a refugee trade with capital rotating from affected protocols into uncompromised alternatives. Santiment confirmed this pattern emerging six days into the Kelp fallout. The DeFi United coalition's speed and scale with over 13,500 ETH already pledged across confirmed contributors is larger than any previous DeFi exploit recovery effort and signals meaningful ecosystem maturity. The fact that 1,800 EtherFi token holders voted overwhelmingly to deploy recovery capital confirms that DeFi governance mechanisms can mobilize at crisis speed when the stakes are high enough.
Lessons for DeFi Security What This Changes Permanently
Three structural changes are now underway across DeFi as a direct result of this exploit. First, 1-of-1 DVN configurations are being eliminated from every major bridge protocol the KelpDAO attack demonstrated that a single validator compromise can drain hundreds of millions in minutes. Second, real-time invariant monitoring tracking lock-to-mint ratios across all chains simultaneously is being mandated as a core security requirement, not an optional add-on. Third, bridge TVL concentration limits are entering governance discussions across major protocols no single bridge should hold reserve backing for a significant percentage of a token's circulating supply without automated circuit breakers.
Recovery Timeline
The base case resolution timeline is 30 to 60 days for the DeFi United roadmap to execute, bad debt to be distributed, and rsETH markets to begin reopening on a chain-by-chain basis starting with Ethereum mainnet. The bull case for rsETH recovery depends on three variables converging: full DeFi United capital commitments being finalized within one week as announced, Arbitrum Security Council governance approving the 70 million USDT recovered funds distribution, and no additional THORChain movements by the attacker that further complicate on-chain forensics.
For existing rsETH holders, this is a hold-and-monitor situation not a sell into illiquidity and not a buy until the formal recovery path is confirmed. For the broader DeFi ecosystem, the DeFi United initiative represents the strongest coordinated crisis response in the sector's history. If it succeeds, it sets a new standard for how DeFi handles black swan events. If it fails, the regulatory pressure for mandatory DeFi insurance and bridge security audits becomes politically unavoidable.
The attack is over. The recovery has begun. The outcome depends on whether DeFi's biggest names can deliver on their biggest commitments.
Six days after the largest DeFi hack of 2026, the rsETH crisis has entered its most critical recovery phase. The attack is contained. The bleeding has stopped. But the full resolution covering bad debt distribution, rsETH peg restoration, and multi-chain fund recovery is still actively unfolding as of this morning. Here is everything confirmed today.
Attack Summary What Happened on April 18
On April 18, 2026 at 17:35 UTC, an attacker exploited KelpDAO's LayerZero V2 bridge between Unichain and Ethereum mainnet. The bridge was configured with a catastrophically weak 1-of-1 DVN meaning a single validator node operated by LayerZero Labs had full authority to approve cross-chain messages with zero independent verification. The attacker poisoned the RPC infrastructure used by LayerZero's DVN DDoSing legitimate nodes to force failover onto compromised ones then spoofed a valid cross-chain message that tricked the bridge into minting 116,500 unbacked rsETH tokens directly to attacker-controlled addresses. Those tokens were immediately deposited into Aave V3 as collateral, allowing the attacker to borrow large amounts of real WETH against completely fictitious backing. Total damage: 292 million USDT the largest DeFi exploit of 2026.
Recovery Progress What Has Been Confirmed Today
Recovery is moving but remains incomplete. The Arbitrum Security Council has now recovered approximately 70 million USDT in ETH tied to the attack an increase from the 30,766 ETH figure reported earlier this week. Those funds remain in an intermediary wallet pending governance decision on distribution methodology. However, a large share of the stolen assets has already been moved through THORChain, significantly complicating full recovery. KelpDAO's multisig froze core contracts shortly after the exploit was identified, which successfully blocked a second attempted theft worth approximately 95 million USDT confirming that emergency response mechanisms activated correctly after the initial breach. The overall recovery rate remains well below 50% of total stolen funds as of April 24.
DeFi United Industry Coalition Forms
The most significant development today is the formal expansion of the DeFi United recovery initiative a coordinated industry-wide rescue effort led by Aave to stabilize rsETH backing and eliminate bad debt across affected lending platforms. Confirmed contributions as of April 24 include Aave founder Stani Kulechov personally committing 5,000 ETH from his own capital, stating: "Aave is my life's work and we're working nonstop to find the best possible outcome for users." EtherFi governance received overwhelming approval from 1,800 token holders, greenlighting a contribution of up to 5,000 ETH from its DAO treasury. Lido Finance has committed up to 2,500 stETH exclusively to address the rsETH backing gap. Golem Foundation and Golem Factory combined contributed 1,000 ETH from their treasuries. LayerZero has also proposed a contribution toward restoring rsETH backing, stating it has been closely coordinating with Aave, EtherFi, Ethena, Arbitrum, and Kelp throughout the process. Tydro, Ink Foundation, and Mantle have all joined the coalition with Mantle proposing a large structured loan to support Aave's liquidity position. Within one week, a comprehensive roadmap detailing all involved entities and fund distribution methodologies is expected to be published.
Aave Official Response Reserve Freeze Status
Aave's Guardian initiated emergency freezes on rsETH and wrsETH markets across all deployments within 77 minutes of the initial exploit at 18:52 UTC on April 18. As of April 24, rsETH reserves remain paused across Ethereum Core, Arbitrum, Base, Mantle, and Linea with Aave explicitly stating the extended pause is designed to facilitate maximum fund recovery as resolution plans progress. Aave governance has disabled rsETH markets across both V3 and V4 deployments. All other Aave pools remain fully safe and operational the incident is scoped exclusively to rsETH and does not reflect any vulnerability in the Aave protocol itself.
Broader DeFi Contagion The Full Damage Picture
The contagion extended well beyond KelpDAO. Aave saw 6,200 million USDT in net outflows a 23% reduction. Morpho lost 716 million USDT down 9%. Sky protocol lost 272 million USDT down 4%. JupLend lost 76 million USDT down 8%. Total DeFi TVL dropped approximately 10 billion USDT immediately following the attack, with JPMorgan estimating broader ecosystem impact at 20 billion USDT. Lido suspended its EarnETH product which had approximately 9% of its TVL directly exposed to KelpDAO's rsETH and deployed a 3 million USDT liquidity buffer while processing withdrawals for pre-incident requests at pre-attack valuations. DVV, GGV, and EarnUSD from Lido confirmed zero direct rsETH exposure and continued operating normally. SparkLend and Fluid both implemented emergency pauses on rsETH exposure. Utilization-driven interest rates spiked across multiple lending platforms, forcing borrower deleveraging and portfolio adjustments throughout the ecosystem.
User Funds Current Status by Position Type
The safety of user funds depends entirely on which product and chain they held exposure through.
Ethereum mainnet rsETH holders backed by legitimate EigenLayer staking deposits retain their underlying backing EigenLayer delegations were confirmed fully intact and were never compromised. Aave users with non-rsETH positions across all pools are fully safe and unaffected. Users holding wrapped rsETH on Layer 2 networks face genuine uncertainty the bridge reserve backing those tokens is broken, and loss distribution across chains has not yet been formally determined. Users who filed EarnETH withdrawals before the liquidity crunch will be redeemed at pre-incident valuations. Later withdrawal requests will be processed after liquidity conditions normalize. The official guidance from every affected protocol remains unchanged: do not interact with rsETH on any chain until formal resolution is announced.
Security Patch What Changed
The 1-of-1 DVN configuration that enabled this attack has been identified as the definitive root vulnerability and will not appear in any future KelpDAO or LayerZero deployments. LayerZero acknowledged that it had recommended multi-DVN configurations to KelpDAO prior to the exploit but that its protocol still permitted 1-of-1 deployments a gap it is now addressing at the protocol level. On-chain security researcher banteg publicly identified that multiple other projects still operated 1-of-1 bridge configurations as of April 19 including several on Arbitrum, Base, and BSC triggering urgent security reviews across the DeFi ecosystem. A minimum 2-of-3 multi-DVN verification standard is now being adopted as the industry baseline across all high-value bridge deployments.
Investor Sentiment Fear or Opportunity
Market sentiment around rsETH specifically remains deeply negative and will stay that way until the DeFi United recovery roadmap is formally published and bad debt distribution is confirmed. However, the broader DeFi sector is showing early signs of a refugee trade with capital rotating from affected protocols into uncompromised alternatives. Santiment confirmed this pattern emerging six days into the Kelp fallout. The DeFi United coalition's speed and scale with over 13,500 ETH already pledged across confirmed contributors is larger than any previous DeFi exploit recovery effort and signals meaningful ecosystem maturity. The fact that 1,800 EtherFi token holders voted overwhelmingly to deploy recovery capital confirms that DeFi governance mechanisms can mobilize at crisis speed when the stakes are high enough.
Lessons for DeFi Security What This Changes Permanently
Three structural changes are now underway across DeFi as a direct result of this exploit. First, 1-of-1 DVN configurations are being eliminated from every major bridge protocol the KelpDAO attack demonstrated that a single validator compromise can drain hundreds of millions in minutes. Second, real-time invariant monitoring tracking lock-to-mint ratios across all chains simultaneously is being mandated as a core security requirement, not an optional add-on. Third, bridge TVL concentration limits are entering governance discussions across major protocols no single bridge should hold reserve backing for a significant percentage of a token's circulating supply without automated circuit breakers.
Recovery Timeline
The base case resolution timeline is 30 to 60 days for the DeFi United roadmap to execute, bad debt to be distributed, and rsETH markets to begin reopening on a chain-by-chain basis starting with Ethereum mainnet. The bull case for rsETH recovery depends on three variables converging: full DeFi United capital commitments being finalized within one week as announced, Arbitrum Security Council governance approving the 70 million USDT recovered funds distribution, and no additional THORChain movements by the attacker that further complicate on-chain forensics.
For existing rsETH holders, this is a hold-and-monitor situation not a sell into illiquidity and not a buy until the formal recovery path is confirmed. For the broader DeFi ecosystem, the DeFi United initiative represents the strongest coordinated crisis response in the sector's history. If it succeeds, it sets a new standard for how DeFi handles black swan events. If it fails, the regulatory pressure for mandatory DeFi insurance and bridge security audits becomes politically unavoidable.
The attack is over. The recovery has begun. The outcome depends on whether DeFi's biggest names can deliver on their biggest commitments.
