Rewards Hub 
The largest coordinated bailout in DeFi history is now underway. On April 23, Aave service providers launched "DeFi United," a cross-protocol relief fund designed to raise 100,000 ETH to restore the backing of rsETH after the $292 million Kelp DAO bridge exploit on April 18. As of April 24, the fund had already gathered roughly 69,534 ETH (about $161 million), and the list of contributors reads like a who's who of Ethereum infrastructure.
This is not a DAO vote to reimburse individual users. It is a coordinated industry effort to prevent a single exploit from cascading into a systemic bad-debt crisis across the largest lending protocol in DeFi, one that holds billions in user deposits.
What Happened to Kelp DAO and Why Aave Is Exposed
On April 18 at 17:35 UTC, an attacker exploited Kelp DAO's LayerZero-powered bridge to drain 116,500 rsETH from the Ethereum mainnet escrow contract, worth roughly $292 million at the time. The attack targeted something deceptively simple. Kelp had configured its bridge with a single-verifier setup, meaning only one LayerZero Decentralized Verifier Node (DVN) needed to confirm cross-chain messages. The attackers compromised two RPC nodes feeding that verifier, used a DDoS to force failover, and tricked the system into believing a valid burn had occurred on Unichain when none had.
The poisoned verifier confirmed the fraudulent message, and the Ethereum-side contract released 116,500 rsETH to an attacker-controlled wallet. Kelp's emergency pauser froze contracts 46 minutes later, blocking two follow-up attempts worth another $100 million, but the initial drain was already complete.
Here is where it became Aave's problem. The attacker immediately deposited 89,567 rsETH into Aave as collateral and borrowed roughly $190 million in WETH and wstETH across Ethereum and Arbitrum. The borrowed assets were legitimate ETH and wrapped staking tokens, but the collateral backing those loans was unbacked rsETH with no real value behind it. Those 89,567 rsETH tokens are now unbacked, which means if they get liquidated, Aave absorbs the loss as bad debt. Initial estimates from Aave's governance forum put potential losses between $123 million and $230 million depending on how Kelp allocates the shortfall across chains.
Who Is Contributing to DeFi United and How Much
The contributor list is what makes this different from every previous DeFi exploit response. Past hacks typically ended with the affected protocol eating the loss, maybe running a community fundraiser, and hoping the attacker returned funds. DeFi United is the first time multiple protocols have pooled capital across organizational lines to absorb damage from an exploit that technically happened to someone else.
|
Contributor
|
Amount
|
Structure
|
|
Aave DAO (governance proposal)
|
25,000 ETH (~$58M)
|
Direct contribution from DAO treasury
|
|
Stani Kulechov (personal)
|
5,000 ETH (~$11.6M)
|
Personal commitment from Aave founder
|
|
Mantle Network
|
30,000 ETH (~$69.6M)
|
3-year loan, Lido APR +1%, requires 130K AAVE token delegation
|
|
Lido DAO
|
2,500 stETH (~$5.8M)
|
Direct pledge
|
|
EtherFi
|
Undisclosed
|
Confirmed participant
|
|
Ethena
|
Undisclosed
|
Confirmed participant
|
|
Ink Foundation
|
Undisclosed
|
Confirmed participant
|
|
BGD Labs
|
Undisclosed
|
Confirmed participant
|
|
Frax Finance
|
Pending governance vote
|
Signaled support
|
|
Individual contributors
|
Various
|
Multiple smaller commitments
|
|
Total (as of April 24)
|
~69,534 ETH
|
~$161M raised toward 100K ETH goal
|
The Aave DAO's 25,000 ETH proposal is the single largest commitment. If approved through governance, it would make Aave the biggest contributor by a wide margin. But Mantle's 30,000 ETH loan is arguably the most creative structure. It is not a donation. Mantle is lending ETH to Aave at Lido's staking yield plus 1%, with a three-year term and a condition that Aave delegates 130,000 AAVE governance tokens to Mantle. That gives Mantle governance influence in return for providing liquidity when Aave needs it most.
Kulechov's 5,000 ETH personal contribution is notable because it signals conviction. When a protocol founder puts roughly $11.6 million of personal capital into a relief fund, it tells the market that the person closest to the situation believes the protocol is worth saving and that the math works.
Why Arbitrum Froze $71 Million Separately
While DeFi United was organizing, Arbitrum's Security Council took a different approach. The council froze 30,766 ETH (about $71 million) linked to the exploit, moving the funds into a governance-controlled wallet. That recovers roughly a quarter of the total amount drained.
The freeze happened because the attacker had borrowed assets on Arbitrum using the stolen rsETH as collateral. Arbitrum's Security Council, a 12-member multisig with emergency powers, voted to freeze the attacker's position before those funds could be bridged out. The attacker had already begun moving stolen funds across chains after the freeze, which is why the DeFi United fund still needs to cover the remaining gap.
This creates an interesting split in the recovery. Arbitrum used centralized emergency powers to lock funds on its chain. DeFi United is using decentralized coordination to fill the gap that centralized intervention could not fully cover. Both approaches working in parallel is a first for the industry.
The Lazarus Group Connection and What It Means for Bridge Security
LayerZero attributed the attack to North Korea's Lazarus Group, specifically the TraderTraitor subunit. The attribution is based on pre-funding through Tornado Cash roughly ten hours before the attack, the use of self-destructing binaries on compromised infrastructure, and post-drain consolidation patterns that match documented DPRK-linked exploits.
If the attribution holds, Lazarus Group drained more than $575 million from DeFi in just 18 days during April 2026, combining the Drift Protocol exploit on April 1 with the Kelp attack on April 18. Two structurally different attack vectors, two different protocols, same threat actor.
The scale of Lazarus Group's 2026 operations puts it on track to surpass the $1.7 billion the group reportedly stole across all of 2022, which was previously considered its peak year.
But the blame game between Kelp and LayerZero is equally telling. LayerZero says Kelp chose a single-verifier setup that LayerZero had explicitly warned against. Kelp responded that LayerZero's default configuration settings are what led to the vulnerability. The truth probably sits somewhere in the middle, but for traders and DeFi users, the takeaway is more practical. Any protocol running a bridge with a single point of verification failure is carrying risk that the market was not pricing in. A properly hardened multi-verifier setup would have required the attacker to compromise multiple independent DVNs simultaneously, making this specific attack vector ineffective.
What Happens If DeFi United Reaches 100,000 ETH
The 100,000 ETH target is not arbitrary. It is the approximate amount needed to fully restore rsETH backing so that every rsETH holder has a 1:1 claim on underlying ETH. Without full restoration, rsETH trades at a permanent discount to its theoretical value, Aave carries bad debt on its books, and every protocol that accepted rsETH as collateral faces writedowns.
If the fund reaches its target, the rsETH peg gets restored, Aave's bad debt gets absorbed through the relief fund rather than through protocol insolvency, and the DeFi ecosystem avoids a confidence crisis that could trigger withdrawals from other lending protocols. Aave's total value locked dropped $6 billion in the days following the exploit as users pulled deposits out of caution. Restoring confidence is as important as restoring the actual ETH deficit.
The broader DeFi market felt the impact immediately. Total DeFi TVL dropped more than $13 billion in two daysfollowing the hack, driven by withdrawals from protocols that had no direct exposure to rsETH. That is fear contagion, and DeFi United is as much about stopping that contagion as it is about filling a balance sheet hole.
For DeFi users who are not directly holding rsETH, the implications are still real. Aave is the largest lending protocol in the ecosystem, and its health affects borrowing rates, collateral availability, and liquidity depth across every market it serves. If Aave's balance sheet takes a permanent hit, borrowing costs rise for everyone using the platform, and depositors face lower yields as the protocol diverts revenue to cover the shortfall.
And if the fund falls short, the remaining deficit becomes Aave's problem. The protocol's treasury and safety module would need to absorb whatever gap remains, which could trigger AAVE token sales from the safety module and create downward price pressure on the governance token itself.
Frequently Asked Questions
What is DeFi United?
DeFi United is a coordinated cross-protocol relief fund launched by Aave service providers to raise 100,000 ETH and restore the backing of rsETH after the $292 million Kelp DAO exploit. Contributors include Aave DAO, Lido, Mantle, EtherFi, Ethena, and several others. As of April 24, the fund had raised roughly 69,534 ETH.
How did the Kelp DAO exploit happen?
The attacker compromised RPC nodes feeding Kelp's single LayerZero verifier, tricked the system into confirming a fraudulent cross-chain message, and drained 116,500 rsETH ($292 million) from the Ethereum mainnet escrow. The stolen tokens were then deposited into Aave as collateral to borrow $190 million in legitimate assets.
Why is Aave involved if the exploit happened to Kelp?
The attacker used 89,567 unbacked rsETH as collateral on Aave to borrow roughly $190 million in WETH and wstETH. If those positions are liquidated, Aave absorbs the loss as bad debt because the collateral has no real backing. Aave's potential losses range from $123 million to $230 million depending on how the shortfall is distributed.
Is this the largest DeFi bailout ever?
By every measure, yes, this is the largest coordinated DeFi bailout in the industry's history. Past exploits typically resulted in affected protocols absorbing losses alone, running bounty programs for fund returns, or community fundraisers. DeFi United is the first time major protocols have pooled tens of thousands of ETH across organizational boundaries to absorb damage from an exploit on a different protocol.
Bottom Line
DeFi United has raised roughly 70% of its 100,000 ETH target in less than a week, with Aave, Mantle, Lido, Kulechov, and a growing list of contributors committing capital to restore rsETH backing. The next 48-72 hours matter. If the Aave DAO governance vote passes and the remaining gap closes, DeFi avoids its first systemic bad-debt crisis and proves that decentralized coordination can function at scale when it needs to. If contributions stall short of 100,000 ETH, Aave's safety module takes the hit, AAVE token holders absorb dilution, and every lending protocol in the ecosystem faces renewed questions about collateral risk management. The Lazarus Group attribution adds a geopolitical layer that regulators will not ignore. A state-sponsored actor draining $575 million from DeFi in 18 days is the kind of headline that accelerates regulatory action on bridge security standards. For anyone holding positions in DeFi lending protocols, the DeFi United outcome is the signal to watch this week.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
