DeFi United: How Aave and Six Protocols Are Racing to Cover a $292 Million Hole

Aave launched a cross protocol relief fund called DeFi United on April 23, 2026 to restore the rsETH backing destroyed by a $292 million exploit on KelpDAO’s LayerZero bridge. The coalition includes Lido, EtherFi, Ethena, Mantle, Ink Foundation, and BGD Labs. The fund’s target is 100,000 ETH to fully restore rsETH’s collateral backing and prevent bad debt from cascading through integrated lending markets including Aave itself. As of April 25, the fund had gathered roughly 69,534 ETH, approximately $161 million, with individual commitments from Aave founder Stani Kulechov and protocol teams across the coalition.

Key Highlights

• Aave launched DeFi United on April 23, 2026, a cross protocol emergency fund targeting 100,000 ETH to restore rsETH backing after the KelpDAO exploit drained $292 million from the protocol on April 18
• Seven protocols have committed to the coalition: Aave, Lido, EtherFi, Ethena, Mantle, Ink Foundation, and BGD Labs. Individual commitments include 5,000 ETH from Aave founder Stani Kulechov, 5,000 ETH from EtherFi Foundation, and 1,000 ETH from Golem
• As of April 25, the fund had raised 69,534 ETH, approximately $161 million, with the remaining 30,466 ETH still to be committed
• The exploit targeted KelpDAO’s LayerZero bridge integration, where an attacker minted 116,500 unbacked rsETH tokens by exploiting a vulnerability in the bridge’s messaging system
• rsETH, a yield bearing liquid staking token representing staked ETH, is used as collateral in Aave and other lending protocols. Without full backing, rsETH collateral positions would become undercollateralized, triggering liquidations and potential bad debt
• Aave DAO has been asked to commit 25,000 ETH from its Safety Module as part of the total 100,000 ETH target, a proposal that requires a formal DAO governance vote

How the KelpDAO exploit actually worked

KelpDAO’s exploit originated in its LayerZero bridge integration. LayerZero is a cross chain messaging protocol that allows tokens and data to move between different blockchain networks. KelpDAO used LayerZero to enable rsETH to exist on multiple chains beyond Ethereum mainnet. The attacker identified a vulnerability in how KelpDAO’s bridge contract verified incoming LayerZero messages.

By sending malformed or replayed bridge messages, the attacker was able to trigger KelpDAO’s minting function without providing the underlying ETH collateral that should have backed each newly minted rsETH token. The result was 116,500 rsETH tokens created from nothing. Those unbacked tokens were then sold into liquidity pools, draining real ETH from the pools in exchange for the synthetic rsETH. The total value extracted from real pools was approximately $292 million at the ETH price at the time of the exploit.

The KelpDAO exploit is part of a broader pattern of bridge vulnerabilities in 2026, where the complexity of cross chain messaging systems creates attack surfaces that single chain protocols do not have. LayerZero has been audited multiple times, but the vulnerability was in KelpDAO’s implementation of the LayerZero messaging interface, not in LayerZero itself. The distinction matters for how responsibility and recovery should be structured.

Why rsETH backing failure cascades through DeFi

RsETH is not a standalone token. It is widely used as collateral in lending protocols, most notably in Aave. When users deposit rsETH as collateral in Aave, the protocol allows them to borrow other assets against it. The collateral ratio depends on rsETH’s value remaining stable relative to the underlying ETH it is supposed to represent.

If rsETH loses its backing, the market price of rsETH falls below the value of the ETH it should represent. Collateral positions that were adequately collateralized at the old rsETH price become undercollateralized at the new price. Aave’s liquidation bots then automatically sell the rsETH collateral to repay the loans. But if the rsETH collateral is worth less than the loan value because of the lost backing, Aave ends up with bad debt: loans that cannot be fully repaid even after liquidating the collateral.

Bad debt in Aave affects the protocol’s Safety Module, which is a pool of staked tokens held as a backstop for exactly this type of event. With ETH staking positions across major protocols representing billions in locked value, the contagion risk from a single large liquid staking token losing its backing is systemic rather than isolated. That is why seven protocols mobilized within five days of the exploit rather than leaving KelpDAO to handle recovery alone.

How DeFi United is structured

DeFi United is a voluntary coalition with no formal legal entity. Each participating protocol or individual commits ETH to a shared multisig wallet controlled by the coalition’s core members. The ETH is used to directly restore rsETH’s backing by providing the collateral that the attacker’s unbacked minted tokens lacked.

The 100,000 ETH target represents the amount needed to fully restore rsETH’s 1:1 ETH backing across the full outstanding supply of rsETH tokens. Partial restoration would reduce the backing deficit but would not eliminate the undercollateralization risk in lending markets. The coalition has set the target high enough to achieve full restoration rather than partial damage control.

The Aave DAO proposal to commit 25,000 ETH from Aave’s Safety Module is the largest single proposed contribution. It also requires the most governance process, since it involves using the Safety Module, which is Aave’s last line of defense against bad debt, for a recovery purpose outside Aave’s own protocol. The DAO vote will determine whether the Safety Module’s protective function extends to ecosystem wide events that threaten Aave through collateral contagion, or whether it is reserved strictly for Aave internal bad debt. DeFi governance becoming a mechanism for industry wide crisis response is a development that US regulators following the CLARITY Act debate are watching closely.

The seven protocols and what each brings

Aave provides the largest institutional commitment through its DAO Safety Module proposal and gives the coalition credibility as DeFi’s largest lending protocol by total value locked. Lido, as the dominant liquid staking provider holding roughly 30% of all staked ETH, has direct interest in restoring confidence in liquid staking token collateral models. An rsETH backing failure that goes unresolved would damage Lido’s own stETH collateral usage in lending markets.

EtherFi and Ethena are both yield bearing liquid staking and restaking protocol operators with products that compete in the same collateral category as rsETH. Their participation in the recovery signals that they view the precedent of a successful cross protocol rescue as more valuable than the competitive benefit of seeing a rival product fail. Mantle and Ink Foundation bring treasury commitments from the ecosystem fund level rather than the protocol revenue level. BGD Labs, which provides technical services for the Aave ecosystem, brings implementation expertise for executing the recovery mechanics correctly.

Stani Kulechov’s personal 5,000 ETH commitment is the most visible individual contribution and carries weight beyond the financial amount. As DeFi infrastructure becomes more embedded in mainstream financial activity, the credibility of protocol founders responding to crises with personal capital rather than just governance proposals matters for how institutional participants evaluate systemic risk in the sector.

What a successful rescue proves and what it leaves unresolved

If DeFi United raises 100,000 ETH and fully restores rsETH’s backing, it will have demonstrated that DeFi’s social coordination mechanisms can respond to a large scale exploit faster than traditional financial regulators can convene hearings. The exploit happened April 18. The coalition formed April 23. Fundraising was 70% complete by April 25. That is a seven day response cycle for a $292 million crisis across seven independent protocols with no central coordinator.

What the successful rescue does not resolve is the underlying bridge security problem. LayerZero and similar cross chain messaging systems are necessary infrastructure for a multi chain DeFi ecosystem. They are also inherently complex and present novel attack surfaces that single chain protocols do not have. DeFi lost over $600 million to exploits in the first quarter of 2026, with bridge vulnerabilities accounting for the largest share of those losses. Recovering from one exploit does not change the incentive structure that makes bridges attractive targets. It demonstrates that DeFi can survive the damage. Preventing the damage requires changes to how bridge implementations are audited, deployed, and monitored that go beyond what a coalition rescue fund can deliver.

The TCB View

DeFi United is the most significant voluntary self governance response to a protocol exploit since the Ethereum community’s response to the 2016 DAO hack, which ultimately required a hard fork. DeFi United is doing something harder: coordinating across seven competing protocols with no central authority, no governance mandate, and no legal obligation to anyone, in response to a crisis they did not cause. The fact that the coalition reached 70% of its funding target within two days of launching is a genuine signal about DeFi’s social contract. When a core piece of infrastructure fails, the protocols that depend on it have shown they will act collectively to restore it rather than individually protecting their own positions. That is a meaningful maturity signal for an ecosystem that critics have long argued has no accountability structure. The remaining question is structural. How does DeFi prevent the next bridge exploit from requiring another emergency coalition? The security infrastructure for bridge implementations is not keeping pace with the scale of value flowing through them. DeFi United proves the community can respond. The next test is whether it can prevent.