Blockchain collective rebounds from massive $292 million hack, successfully restoring stolen ether assets

Kelp DAO has completed the main recovery work tied to the rsETH exploit after sending the final 20,373.72 rsETH batch to the rsETH OFT adapter, the contract used to support rsETH transfers across chains.

The final tranche of 20,373.72 rsETH has been sent to the rsETH OFT adapter earlier today. This closes the operational part of the rsETH recovery plan.

Tx: https://t.co/fB2HLWvggk

— Kelp (@KelpDAO) May 25, 2026

The transfer closes the operational part of the recovery plan, which focused on refilling the adapter after the exploit disrupted rsETH backing and temporarily affected normal protocol activity. Kelp said mints, redemptions, and rewards have been running normally since the protocol was unpaused.

The recovery follows an April 18 exploit that released about 116,500 rsETH from Kelp’s Ethereum side bridge adapter. Galaxy Research said the attacker delivered a forged LayerZero packet to the rsETH OFT adapter, which then released the tokens to the attacker’s address on Ethereum mainnet.

The exploit affected Kelp’s LayerZero OFT adapter, which is used to move rsETH across Ethereum layer 2 networks and other chains. Galaxy said the adapter works through a lock and mint model, where rsETH leaving Ethereum is locked in escrow and cross chain messages authorize releases when tokens return.

Aave and other DeFi protocols were pulled into the fallout because the attacker used part of the released rsETH as collateral to borrow assets. The attacker supplied rsETH on Aave and borrowed large amounts of WETH, turning the bridge failure into a broader DeFi lending problem.

The recovery plan centered on restoring the rsETH backing by gradually refilling the LayerZero OFT adapter. Kelp previously said 117,132 rsETH would be progressively refilled from the Aave Recovery Guardian and the Kelp Recovery Safe into the LayerZero OFT adapter on mainnet.

The first tranche was transferred last week, allowing rsETH bridging between Ethereum mainnet and layer 2 networks to reopen. Aave said at the time that the first tranche had been moved into the LayerZero OFT adapter and that rsETH bridging was back online.

The remaining batches were scheduled to be sent over the following two weeks to fully replenish the lockbox contract. rsETH withdrawals were set to resume within 24 hours after the first batch, with deposits reopening within 48 hours and staking rewards accrued during the pause distributed to holders.

The incident also triggered debate over LayerZero bridge configurations. Galaxy said Kelp’s adapter used a 1 of 1 DVN configuration, meaning one verifier was enough to authorize a message. LayerZero later said the attack involved poisoned RPC nodes and a denial of service attack that forced the verifier to rely on compromised data sources, according to Galaxy.

LayerZero’s post mortem said Kelp’s bridge had previously used a 2 of 2 DVN setup before being changed to 1 of 1, while Kelp maintained that the setup was a documented default approved during its expansion to layer 2 networks.

With the final tranche now sent, the recovery effort moves from active refilling to monitoring. Kelp said users can track complete rsETH backing through its public dashboard, while normal minting, redemption, and rewards operations continue after the unpause.