Devoured - April 29, 2026
Aave Publishes Technical Implementation Plan to Restore rsETH Backing (3 minute read)

Aave Publishes Technical Implementation Plan to Restore rsETH Backing (3 minute read)

Crypto defisecurity Read original

DeFi United coalition publishes comprehensive recovery plan to restore 116,500 rsETH released in a bridge exploit, testing whether decentralized protocols can coordinate large-scale post-exploit recovery without socializing losses.

What: A coalition of DeFi protocols has detailed the technical steps to recover from an April 18 bridge exploit where a forged packet released 116,500 rsETH tokens (worth roughly $137M at 1.07 ETH ratio) without burning the corresponding tokens on Unichain. The exploiter used most of the stolen rsETH as collateral on Aave and Compound, and the plan involves restoring the bridge's ETH backing while using governance-controlled liquidations to recover the exploited collateral.
Why it matters: This represents a critical test case for DeFi's resilience and coordination capabilities—if successful, it demonstrates that decentralized protocols can collaboratively resolve exploits through governance rather than forcing losses onto users or requiring centralized intervention.
Takeaway: Developers working with cross-chain bridges or DeFi protocols should follow the governance proposals and execution to understand both the exploit vector (forged inbound packets) and the recovery mechanisms as potential patterns for handling future incidents.
Deep dive
  • The exploit involved forging an inbound packet on the Unichain-to-Ethereum bridge, which caused the Ethereum-side adapter to release 116,500 rsETH without the corresponding burn happening on Unichain—a critical bridge security failure
  • The exploiter distributed stolen rsETH strategically: portions became collateral on Aave V3 (both Ethereum and Arbitrum), portions on Compound, with seven addresses holding ~107,000 rsETH in active positions
  • Recovery requires two parallel tracks: (1) restoring rsETH's ETH backing to maintain its 1.07 ETH peg, and (2) liquidating exploiter positions to recover the excess collateral without socializing losses
  • DeFi United has secured ETH commitments to restore full backing by depositing into the bridge lockbox contract, converting ETH to rsETH in tranches to manage risk
  • Clearing exploiter positions requires governance proposals on both Ethereum and Arbitrum that temporarily manipulate the rsETH oracle price to enable forced liquidations
  • The oracle manipulation creates a temporary protocol deficit that gets filled by redeeming the recovered rsETH collateral back to ETH through Kelp's standard procedure
  • Recovery would net approximately 13,000 ETH from Aave markets and 16,776 ETH from Compound after liquidations complete
  • All configuration changes (oracle adjustments, LTV modifications) are explicitly temporary and scoped only for recovery execution, then fully reverted
  • WETH and rsETH reserves remain frozen across multiple chains (Ethereum, Arbitrum, Base, Mantle, Linea) during the recovery period
  • Key risks include governance execution failures, attacker interference during liquidation, and security validation of new bridge measures before resuming operations
  • LayerZero and KelpDAO have implemented additional security measures for the bridge, though these remain unvalidated in production until operations resume
  • Success depends on coordination across multiple protocol DAOs, finalization of legal agreements, and correct execution of complex multi-step governance proposals
  • This incident showcases both bridge vulnerabilities (packet forgery) and DeFi's potential for collective recovery mechanisms that don't force users to absorb losses
Decoder
  • rsETH: KelpDAO's liquid staking token representing staked ETH with rewards, currently trading at 1.07 ETH per rsETH
  • Bridge exploit via forged packet: An attack where the exploiter created a fake message that convinced the Ethereum side to release tokens without the source chain actually burning them
  • Liquidation: Forcibly selling collateral when a loan position becomes undercollateralized, typically to protect the lending protocol
  • Oracle price manipulation: Temporarily adjusting the price feed that DeFi protocols use to value assets, enabling controlled liquidations that wouldn't normally trigger
  • LTV (Loan-to-Value): The maximum percentage you can borrow against collateral value; higher LTV means more borrowing power
  • Lockbox contract: The smart contract that holds the actual ETH backing the bridged rsETH tokens on the destination chain
  • DeFi United: An ad-hoc coalition formed by affected ecosystem participants (Aave, Compound, KelpDAO, LayerZero, others) to coordinate recovery
Original article

DeFi United, a coalition of ecosystem participants, has published the full technical implementation plan to restore KelpDAO's rsETH backing following the April 18 bridge exploit, where a forged inbound packet on the Unichain-to-Ethereum route released 116,500 rsETH without a corresponding burn. The exploiter distributed the rsETH across multiple addresses, supplied portions as collateral on Aave V3 (Ethereum and Arbitrum) and Compound, with seven addresses still holding active rsETH-backed positions. The plan covers the full path to making rsETH whole and resuming normal market operations, a critical test of DeFi's ability to coordinate post-exploit recovery at scale.