Kelp DAO Burns Exploiter's Tokens, Plans Two-Week rsETH Recovery Following $293M Hack

Recovery Plan Initiated After Major DeFi Exploit

Ethereum liquid restaking platform Kelp DAO has announced significant progress in its recovery efforts following a devastating exploit earlier this year. The protocol has successfully burned the attacker's rsETH tokens on the Arbitrum layer-2 network and outlined a comprehensive two-week restoration plan in collaboration with Aave's decentralized lending protocol.

According to Tuesday's announcement from Kelp DAO, 117,132 rsETH tokens—currently valued at approximately $278 million—have been burned and will be progressively restored over a two-week period. The recovery operation will utilize funds from the Aave Recovery Guardian multisignature wallet, which operates under the control of the DeFi United recovery group alongside Kelp's own recovery safe.

Technical Implementation of Token Restoration

The restoration process will route funds through the LayerZero OFT adapter, the smart contract infrastructure responsible for managing cross-chain transfers of rsETH, including locking, minting, burning, and releasing tokens. Kelp DAO emphasized that rsETH on both the Ethereum mainnet and various layer-2 networks remains fully backed at all times, maintaining its $1.5 billion market capitalization.

This recovery effort represents a critical milestone for users affected by one of 2024's largest DeFi exploits. The attack occurred in April when hackers, widely attributed to North Korea's Lazarus Group, exploited Kelp's rsETH adapter bridge contract and successfully drained approximately $293 million from the platform.

Security Failure Analysis

Blockchain security firm OpenZeppelin investigated the incident and reported that no traditional smart contract vulnerability was publicly identified. Instead, the firm concluded that "the system failed operationally," highlighting a category of risk that the DeFi industry has "consistently underweighted." This assessment underscores the importance of operational security measures beyond code audits.

Withdrawal Timeline and Enhanced Security Measures

Kelp DAO announced that withdrawals will resume "tentatively within 24 hours" following the return of the first tranche of funds to the smart contract. Once contracts are reactivated, all rsETH operations—including deposits, redemptions, bridging, and claims—will return to normal functionality.

The protocol has implemented substantial security enhancements following the exploit. Bridging security now requires four independent attestors and 64 block confirmations, representing a significant strengthening of validation processes. Additionally, Kelp has deprecated certain layer-2 routes to reduce potential attack surfaces.

Looking forward, the platform is transitioning to Chainlink's Cross-Chain Interoperability Protocol (CCIP) to further fortify its cross-chain bridging infrastructure.

Market Impact and Protocol Performance

Kelp operates as a prominent liquid restaking protocol on Ethereum, primarily built on the EigenLayer infrastructure. The platform allows users to deposit ETH or other supported liquid staking tokens to generate additional yields through restaking mechanisms.

According to DefiLlama data, Kelp's total value locked (TVL) reached an all-time high exceeding $2 billion in September 2025. However, following the April exploit and subsequent market conditions, the TVL has declined by approximately 26% to $1.55 billion.

Despite the recent wave of DeFi security incidents, ETH derivatives traders have reportedly remained largely unfazed, with professional market sentiment holding steady despite heightened security concerns across the decentralized finance sector.