DeFi United: How Aave and Compound Coordinated the $292M KelpDAO Recovery
When Lazarus Group hit KelpDAO for $292M, DeFi faced a systemic threat. Instead of chaos, Aave led a coalition of rival protocols to coordinate the largest inter-protocol recovery in DeFi history. Here's the technical plan, the governance mechanics, and what every builder should learn from it.
The DeFi Bailout That Actually Worked
On April 18, 2026, North Korea's Lazarus Group pulled off one of the largest DeFi exploits in history: $292 million stolen from KelpDAO through a bridge vulnerability that minted over 116,000 unbacked rsETH tokens. The attack sent shockwaves through decentralized finance, exposing Aave V3 markets to as much as $230 million in potential bad debt. It was, by any measure, the kind of event that should have cascaded into systemic failure.
Three months later, the outcome looks different. Not because the money was recovered — most of it wasn't — but because DeFi protocols coordinated a response that has never been attempted at this scale. A coalition called DeFi United, led by Aave and joined by Compound, EtherFi, Golem Foundation, and others, published a technical recovery plan in early July that is now moving toward execution. On July 8, Aave Labs formally proposed that Arbitrum's DAO unfreeze 30,765 ETH — roughly $73.5 million — tied to the attack, redirecting those funds into the remediation vehicle.
The KelpDAO recovery is not just a story about a hack. It is the first real test of whether DeFi governance can coordinate across protocols to contain systemic risk — and so far, it is passing.
What Happened: The Lazarus Group Bridge Exploit
The attack vector was deceptively simple. KelpDAO's rsETH — a liquid restaking token representing staked ETH across EigenLayer and other protocols — relied on LayerZero's OFT (Omnichain Fungible Token) adapter for cross-chain transfers between Ethereum mainnet and Arbitrum. The adapter was designed to burn tokens on the source chain and mint them on the destination chain, maintaining a consistent total supply.
Lazarus Group operatives exploited a vulnerability in this bridge mechanism. They extracted approximately 116,500 rsETH — worth $292 million at the time — from the OFT adapter on Ethereum without burning any tokens on the source chain. The result was a massive over-issuance: rsETH tokens circulating on Arbitrum that had no backing on Ethereum.
According to an incident report published by Llamarisk to the Aave governance forum, the exploit exposed Aave V3 markets to potential bad debt ranging from $123.7 million to $230.1 million, depending on how losses were allocated. Of the 112,204 unbacked rsETH sitting in the attacker's positions, a significant portion had been deposited as collateral on Aave and Compound, where borrowers had already taken out loans against them.
Aave's Emergency Response: Pausing, Freezing, Containing
Aave's risk management infrastructure fired within hours of the exploit being detected. The protocol took three immediate actions that contained what could have become a cascading liquidation spiral:
- Paused rsETH reserves across all affected networks: Ethereum Core, Arbitrum, Base, Mantle, and Linea. This prevented new deposits or borrows against the compromised asset.
- The Arbitrum Security Council moved to freeze the attacker's wallet, immobilizing roughly 30,765 ETH that had been moved off the bridge. This was a rare but necessary use of centralized freeze authority within a decentralized ecosystem.
- Aave governance activated the Recovery Guardian, a multisig mechanism designed specifically for black-swan events, which began coordinating the multi-protocol response that would eventually become DeFi United.
These actions were not without controversy. Freezing assets and activating admin-level controls cuts against the permissionless ethos of DeFi. But the alternative — allowing $230 million in bad debt to cascade through lending markets during a period of already-elevated market volatility — would have been far worse. Aave's risk team made the trade-off explicitly: temporary centralization to prevent permanent damage.
DeFi United: How Competitors Became a Coalition
The most remarkable chapter of this story is the formation of DeFi United, a coalition that brought together protocols that normally compete for liquidity and users. The members include:
- Aave — leading the recovery coordination, providing governance rails, and managing the Recovery Guardian
- Compound — the second-largest DeFi lending protocol, also holding unbacked rsETH in its markets
- EtherFi — a liquid staking protocol that was both affected by the exploit and well-positioned to assist with the technical recovery
- Golem Foundation and Golem Factory — contributing a combined 1,000 ETH (approximately $1.7 million) from their treasuries to strengthen the recovery plan
- Llamarisk — Aave's risk service provider, which published the incident report and modeled the bad debt scenarios
On July 6, DeFi United published a technical implementation plan for restoring rsETH backing. The plan has three components: progressively refilling the LayerZero OFT adapter from the Aave Recovery Guardian and Kelp Recovery Safe, burning the exploiter's rsETH on Arbitrum to eliminate the unbacked supply, and clearing the remaining $246 million in attacker positions through controlled liquidations.
The coalition's existence alone represents something unprecedented in DeFi. When protocols compete for the same liquidity pools and the same users, the incentive to help a competitor absorb a $292 million loss is approximately zero. DeFi United worked because the alternative — systemic contagion — would have hurt everyone.
The Recovery Mechanics: Controlled Liquidations and Oracle Governance
The technical recovery plan is where DeFi governance gets genuinely interesting. The $246 million worth of rsETH still sitting in the hacker's positions on Aave and Compound cannot simply be seized — that would require a level of protocol control that would destroy trust in the entire system. Instead, DeFi United is using a mechanism that works within existing governance frameworks.
The approach is a controlled liquidation sequence. Through governance votes on both Aave and Compound, the protocols will temporarily lower the oracle price of rsETH to a level that triggers liquidations of the attacker's positions. These liquidations will be executed by designated parties within the coalition, ensuring that the collateral is captured by the recovery vehicle rather than picked up by opportunistic third parties.
The July 8 proposal from Aave Labs to Arbitrum's DAO adds another layer: unfreezing 30,765 ETH (approximately $73.5 million) from the attacker's wallet, which the Arbitrum Security Council immobilized in April, and redirecting those funds to DeFi United's remediation vehicle. This requires a governance vote from Arbitrum token holders — a remarkable example of cross-DAO coordination that would have been unthinkable two years ago.
Kelp DAO has confirmed that 117,132 rsETH will be progressively refilled into the LayerZero OFT adapter over approximately two weeks, after which rsETH operations — deposits, withdrawals, and the bridge itself — will fully resume across all affected networks.
What Builders Should Learn From KelpDAO
The KelpDAO exploit and its aftermath contain lessons for every team building in DeFi, whether you are launching a liquid staking token, a lending market, or a cross-chain bridge. Here are the five that matter most:
- Bridge security is still the weakest link: The attack exploited a bridge adapter, not a smart contract bug. For any protocol that depends on cross-chain messaging — and most do — the bridge layer is the attack surface that auditors often miss. If you are building cross-chain functionality, bridge invariants need the same audit rigor as your core contracts.
- Incident response infrastructure is not optional: Aave's ability to pause reserves, freeze positions, and activate the Recovery Guardian was not improvised. It was built into the protocol's governance architecture from day one. Every DeFi protocol above a certain size needs a documented, executable incident response plan — not a Discord channel where people panic.
- Oracle manipulation can be a feature, not just a bug: Lowering the rsETH oracle price via governance to trigger controlled liquidations is exactly the kind of mechanism that oracle security audits warn against. But in a recovery context, it becomes a precision tool. The lesson: governance-controlled oracle overrides are dangerous in normal operation but essential during crisis recovery. Design them with both use cases in mind.
- Cross-protocol coordination needs formal channels: DeFi United worked because Aave had existing relationships and shared governance participants across Compound, EtherFi, and other protocols. Building these coordination channels before a crisis — through shared working groups, cross-DAO delegates, or industry alliances — is a security investment, not just a community one.
- The Lazarus Group is not done: North Korean state-sponsored hackers have now extracted over $3 billion from crypto protocols since 2022. KelpDAO is the latest in a pattern that includes Ronin Bridge ($625M), Horizon Bridge ($100M), and Atomic Wallet ($100M). If you are building a DeFi protocol, you are building in a threat environment where nation-state adversaries are actively hunting for vulnerabilities.
For teams building on any EVM-compatible chain, the tooling layer matters. Security starts with the smart contract SDK you choose, the audit pipeline you build around it, and the governance primitives you deploy alongside your protocol. If you are ready to build, thirdweb offers developer plans that scale with your project — including pre-audited contract templates, governance modules, and deployment tooling across dozens of chains.
The Bigger Picture: DeFi's Immune System Is Working
The KelpDAO exploit was devastating, but the response has been instructive. When a $292 million attack hits, the difference between a contained incident and a systemic meltdown is not the quality of the original code — it is the quality of the response infrastructure around it.
Aave paused reserves. Arbitrum froze funds. DeFi United published a recovery plan. Governance votes are now moving toward execution. None of this is elegant. It is messy, involves uncomfortable trade-offs between decentralization and pragmatism, and requires protocols to trust each other in ways they were never designed to do.
But it is working. The alternative — a $230 million bad debt cascade through DeFi lending markets during a period of geopolitical turmoil that has already triggered $450 million in liquidations — would have been catastrophic. The fact that DeFi's immune system held suggests the ecosystem is maturing faster than its critics acknowledge.
KelpDAO expects rsETH operations to fully resume in the coming weeks. The restoration of backing, the burning of unbacked tokens, and the controlled liquidation of attacker positions represent the most ambitious inter-protocol recovery effort in DeFi history. Whether it succeeds completely or partially, it has already rewritten the playbook for how decentralized protocols respond to existential threats.