A coalition of DeFi protocols called DeFi United has raised 131,087 ETH (roughly $303 million) to restore the rsETH liquid restaking token after attackers drained 116,500 rsETH worth approximately $292 million from Kelp DAO's cross-chain bridge on April 18, 2026. The exploit exposed a single point of failure in Kelp DAO's bridge configuration and triggered cascading losses across Aave, Compound, Fluid, Morpho, Euler, and other major lending platforms. Kelp DAO was co-founded by Amitej Gajjala, Dheeraj Borra, Kratik Lodha, and Lucas Kozinski, whose previous work building Stader Labs made them prominent figures in South Asia's DeFi developer community.

How the Attack Happened

Kelp DAO's bridge used a 1-of-1 DVN (Decentralized Verifier Network) setup, meaning a single node was responsible for validating all cross-chain messages before funds were released. Industry best practice calls for multiple independent verifier nodes, so that no single compromised node can unilaterally authorize a fraudulent transfer. Attackers compromised internal RPC nodes and used a distributed denial-of-service attack against external nodes to isolate that single verifier. The bridge then accepted a forged instruction claiming a valid inbound transfer from another chain and released 116,500 rsETH with no corresponding tokens burned or locked on the originating side. Emergency responders froze core contracts 46 minutes after the drain, at 18:21 UTC, but two follow-up attacks targeting roughly 40,000 rsETH each were attempted at 18:26 UTC and 18:28 UTC, just minutes after the pause. The breach affected rsETH on more than 20 blockchains, including Base, Arbitrum, Linea, Blast, Mantle, and Scroll.

"The bridge worked as designed," said Ben Fisch, CEO of Espresso Systems, a blockchain infrastructure firm focused on shared sequencing and cross-chain interoperability. "It just believed the wrong information."

The attacker deposited 89,567 of the stolen rsETH as collateral on Aave V3 and borrowed between $190 million and $196 million in WETH against it. That left Aave facing a bad debt exposure estimated between $177 million and $200 million. Aave's total value locked (TVL) fell from $26.4 billion to roughly $20 billion within 24 hours as users withdrew funds. The damage extended well beyond Aave: total DeFi TVL fell from approximately $99 billion to $85 billion in the 48 hours following the exploit, according to Phemex Academy, underscoring the systemic scale of the breach. The Arbitrum Security Council intervened on April 20, freezing 30,766 ETH (about $71 million) tied to the attacker.

The DeFi United Recovery Plan

DeFi United, organized by Aave service providers, is pooling ETH from across the ecosystem to refill the damaged LayerZero lockbox contract (the on-chain escrow that backs rsETH's cross-chain representation) and restore rsETH's 1:1 backing. The plan converts pooled ETH into rsETH in tranches, then transfers those batches into the affected lockbox. Structuring the recovery in tranches rather than a single lump-sum deposit allows the coalition to synchronize execution with governance timelines and absorb illiquid assets incrementally as they become accessible, consistent with the sequencing detailed in the Aave Governance ARFC. The full upfront deposit required is 120,015 ETH. Because several recovery streams are not yet liquid, the Aave Governance ARFC identifies approximately 44,787 ETH of that upfront amount as secured recoveries not yet accessible, including the Arbitrum-frozen assets and Kelp DAO's own recovered 40,373 rsETH (worth roughly 43,168 ETH). To cover these timing gaps during execution, the coalition arranged interim credit facilities.

The coalition's tracker at defiunited.fyi confirmed the fundraising target was reached as of April 28, described as "subject to pending votes and execution." After accounting for frozen and recoverable assets, the residual funding gap stands at approximately 75,081 ETH. Aave DAO committed 25,000 ETH from its treasury. Consensys and its founder Joseph Lubin pledged up to 30,000 ETH as a combined commitment. Mantle contributed up to 30,000 ETH via a credit facility. Aave Labs founder Stani Kulechov contributed 5,000 ETH personally. Further contributions came from EtherFi (5,000 ETH), Compound (up to 3,000 ETH), Lido Finance (2,500 stETH), Golem Foundation (1,000 ETH), Babylon Foundation ($3 million in USDT), Renzo (over $10 million), community donations totaling 587 ETH, and Kelp DAO itself, which contributed 2,000 ETH, a gesture that signals some degree of accountability from the team whose infrastructure failure triggered the crisis.

"Financial support from these leading ecosystem participants makes funds available to the recovery effort without delay," Kulechov said.

Lubin framed the response as a test of the ecosystem's durability: "The Ethereum technology and ecosystem are antifragile... DeFi United is exactly that, a broad, coordinated response to protect users and strengthen the infrastructure we've all helped build."

Regional Impact: South Asia and Africa

The regional dimensions of this exploit are significant. Kelp DAO grew out of Stader Labs, an India-based liquid staking protocol whose co-founders built their careers in India's startup ecosystem before becoming prominent figures in Ethereum's restaking layer. rsETH is a liquid restaking token whose value derives from EigenLayer, a protocol that allows staked ETH to simultaneously secure additional networks called actively validated services (AVS), generating both standard Ethereum staking yields and supplemental AVS rewards. That layered yield structure attracted retail holders across emerging markets, but it also means rsETH carries compounded risks that go beyond those of simpler liquid staking tokens. Analysts in the space have noted that the reputational fallout extends to South Asia's wider DeFi builder community and that trust can erode quickly after a high-profile failure tied to infrastructure decisions rather than code.

For retail users in India, Pakistan, Bangladesh, and Sri Lanka, the exploit illustrated a concrete risk: yield-bearing ETH derivatives can become instantly illiquid. Pakistan and Sri Lanka, in particular, have seen elevated rsETH adoption driven by persistent fiat currency instability, making the sudden freeze of redemptions especially disruptive for users in those markets. Regional DeFi support infrastructure remains limited, leaving many affected holders with few local resources for recourse or guidance. In Africa, particularly in Nigeria, Kenya, and Ghana, DeFi users rely heavily on Layer 2 networks like Arbitrum and Base because of lower transaction costs. Both networks hosted rsETH, and users there faced the same sudden uncertainty about redemption. One anonymous participant in the Aave governance forum noted that Morpho "experienced almost zero exposure" during the crisis, crediting its isolated vault architecture over Aave's pooled model; readers should weigh that comparison with the caveat that the source is unverified and anonymous. The architectural contrast between isolated and pooled lending models is one that builders in both regions constructing lending infrastructure may examine closely as they consider risk tradeoffs.

Sergej Kunz, co-founder of 1inch, was direct about the structural issue: "As long as we rely on validator-based bridges, these problems will continue."

What Comes Next

Full restoration still depends on several conditions outside DeFi United's direct control. Kelp DAO must reopen rsETH withdrawals. LayerZero must reopen its bridge. The Arbitrum Security Council must release frozen ETH pending an Arbitrum DAO vote. Both the Arbitrum and Aave governance proposals must pass. Media reports, citing on-chain analysis flagged by Chainalysis, have linked the attack to the Lazarus Group, a North Korean state-linked hacking unit, though no public law enforcement statement has confirmed that attribution. The exploit already surpasses the $285 million Drift Protocol hack from April 1, 2026, making it the largest DeFi exploit recorded this year.

Whether or not every governance vote lands cleanly, DeFi United's tranche-based, multi-party recovery model represents a structural departure from previous post-exploit responses, in which losses were either absorbed by a single protocol or left unrecovered. If the mechanism succeeds, it may establish a replicable template: a coordinated coalition that pools treasury assets, arranges interim financing, and sequences restoration through governance rather than expecting any one participant to shoulder a nine-figure loss alone.