DeFi United Releases Its Technical Plan to Recover $71M From the $292 Million Kelp DAO Exploit

DeFi United, the industry coalition formed after the $292 million Kelp DAO exploit in April 2026, released a detailed technical recovery plan on April 28. The proposal targets the recovery of approximately $71 million in rsETH backing through two coordinated tracks: restoring the bridge lockbox with committed ETH and liquidating bad debt positions across Aave and Compound. The plan involves over $300 million in pledged support from Consensys, Lido, EtherFi, Aave founder Stani Kulechov, and other major DeFi stakeholders.

Key Highlights

• DeFi United’s recovery plan targets $71 million in rsETH backing from the Kelp DAO exploit
• The exploit originated from a vulnerability in KelpDAO’s LayerZero bridge integration on April 18, 2026
• An attacker minted 116,500 unbacked rsETH tokens by exploiting the bridge messaging system
• Roughly 107,000 rsETH from the exploit remain in active collateral positions across Aave and Compound
• The recovery plan has two tracks: restoring rsETH backing via committed ETH, and liquidating attacker-linked positions
• Consensys committed up to 30,000 ETH; Stani Kulechov pledged 5,000 ETH personally
• As of April 26, DeFi United had raised approximately $160 million of the $200 million target
• The Aave DAO has been asked to commit up to 25,000 ETH as part of the broader recovery fund

What Happened in the Kelp DAO Exploit

The exploit traces back to April 18, 2026 and a specific vulnerability in how Kelp DAO integrated with LayerZero, the cross-chain messaging protocol. The attacker identified a flaw in the bridge’s message verification system and used it to mint 116,500 rsETH tokens without depositing the underlying ETH that those tokens were supposed to represent.

rsETH is a restaking token issued by Kelp DAO. Each rsETH is designed to represent one unit of restaked ETH, meaning every token in circulation should be backed 1:1 by real ETH locked in the protocol. The exploit broke that 1:1 relationship by creating tokens with no backing. At the time of the exploit, rsETH was worth approximately $2,500, putting the total unbacked supply at roughly $291 million.

The attacker did not immediately sell the unbacked rsETH. Instead, roughly 107,000 of the exploited tokens were deposited as collateral across Aave and Compound to borrow real assets against them, creating a set of positions that are technically backed by worthless collateral. Those positions are what DeFi United is now attempting to unwind.

The Two Track Recovery Plan

DeFi United’s technical proposal operates on two parallel tracks.

The first track is restoring rsETH’s full backing. The coalition has secured ETH commitments sufficient to restore rsETH to its current Kelp exchange ratio of 1.07 ETH per rsETH. The plan calls for converting the committed ETH into rsETH in tranches, then transferring it into the bridge lockbox contract that was depleted by the exploit. This process gradually restores the 1:1 backing across the entire rsETH supply and removes the price discount at which rsETH has been trading since the exploit.

The second track is liquidating the attacker’s bad debt positions. Once rsETH backing is restored, the collateral backing the attacker’s borrowing positions becomes valid rather than worthless. DeFi United’s proposal estimates this could free up approximately 13,000 ETH from Aave alone, which would be used to repay the bad debt those positions created.

Who Is Contributing

The coalition assembled for this recovery effort is unusually broad for a DeFi incident response. Consensys and its co-founder Joseph Lubin committed up to 30,000 ETH. EtherFi, one of the largest liquid restaking protocols by TVL, is contributing ETH. Lido, which controls a large share of staked ETH, is participating. Aave founder Stani Kulechov announced a personal contribution of 5,000 ETH, a notable signal of individual accountability in an ecosystem that is often criticized for diffuse responsibility when exploits occur.

Arkham Intelligence confirmed that by April 26 the coalition had raised approximately $160 million of the $200 million target, putting the fund at roughly 80% of its goal two days before the technical plan was released. The Aave DAO has separately been asked to commit up to 25,000 ETH as part of the governance-level response.

What This Means for Aave and Compound Users

For users with active positions on Aave and Compound that interact with rsETH collateral, the recovery plan introduces a structured path to resolution rather than a permanent impairment of their positions. The plan’s success depends on three conditions: the committed ETH being converted and deployed into the lockbox as scheduled, the governance vote at Aave DAO passing the 25,000 ETH commitment, and the attacker-linked positions being liquidated without cascading effects on broader Ethereum DeFi markets.

If all three conditions hold, the rsETH depeg resolves, bad debt is cleared, and the exploit’s damage is contained. If any of the three breaks down, the timeline extends and the risk of contagion to other protocols increases. Ethereum’s broader DeFi ecosystem has been operating under the shadow of this incident since April 18, and resolution would remove a significant source of uncertainty from the market.

The Broader Question About Bridge Security

Every major DeFi exploit of 2024 and 2025 involved a bridge or cross-chain messaging layer. The Kelp DAO incident follows that pattern precisely. LayerZero’s bridge messaging system was the attack surface, not the core Kelp DAO contracts themselves.

Bridge security remains the most structurally weak point in the DeFi stack. The complexity of verifying messages across chains, managing trust assumptions across different consensus mechanisms, and handling edge cases in token minting creates attack surfaces that are difficult to fully audit. The frequency with which bridges appear as the entry point in major exploits suggests the problem is architectural rather than purely a code quality issue.

DeFi United’s response to this particular exploit has been faster and better coordinated than most previous incidents. The speed of pledging over $300 million within a week of the exploit, and the release of a technical recovery plan within ten days, demonstrates that the ecosystem has learned from previous slow-motion responses. Whether that speed translates into a clean resolution without secondary effects on DeFi’s growing integration with traditional finance is an open question.

The TCB View

The Kelp DAO exploit and DeFi United’s response represent two sides of the same story. The exploit confirms that bridge infrastructure remains a critical vulnerability that sophisticated attackers continue to target successfully. DeFi United’s response confirms that the ecosystem now has the capital depth and coordination capacity to absorb a $292 million exploit without systemic collapse. Both facts matter equally. The positive reading is that DeFi has grown resilient enough to self-insure against major incidents. The uncomfortable reading is that incidents of this scale are still happening, which means the bridge security problem is not solved and the next exploit is a matter of when rather than if. The $71 million recovery target is achievable. The structural bridge vulnerability is not resolved by this recovery plan, and that is the problem that deserves the same urgency as the immediate crisis response.