Three weeks after North Korea-linked hackers triggered one of DeFi's most damaging exploits of 2026, the recovery effort is gaining momentum.
Aave Liquidates Kelp Hacker Positions as Arbitrum Vote Clears Path for ETH Release
7 May 2026 - 10:51 CEST
By Matt Neill
Aave has completed the liquidation of the attacker's restaked ETH positions across Ethereum and Arbitrum, while Arbitrum governance has voted to unfreeze the approximately $71mn in ETH at the centre of a separate US court dispute.
Aave confirmed on 6 May that the attacker's rsETH collateral on both networks had been liquidated and that the recovered assets are now controlled by the Recovery Guardian as specified in the governance proposal. No other users were affected by the liquidation process, and Aave's Umbrella insurance module was untouched.
The liquidation was made possible by a governance-approved adjustment to the rsETH oracle price, enabling a controlled wind-down of the hacker's positions without broader market disruption.
Arbitrum community backs ETH release
In a separate development, more than 1,600 addresses holding over 190mn ARB tokens voted on the Snapshot temperature check to release the frozen ETH held by Arbitrum DAO, with the proposal reaching quorum and receiving strong approval from delegates.
The vote marks a significant step toward routing the 30,765 ETH secured by the Arbitrum Security Council on 21 Apr into the coordinated DeFi United recovery fund, which is designed to restore rsETH's backing and compensate affected users proportionally.
The governance process still requires an onchain Constitutional AIP vote, which carries a total estimated timeline of approximately 49 days, including waiting periods and cross-chain message finalisation.
The frozen ETH had been the subject of a restraining notice filed on 1 May by law firm Gerstein Harrow on behalf of creditors holding unpaid judgments against North Korea, a claim Aave contested in an emergency court filing at the US District Court for the Southern District of New York.
Recovery effort advances amid legal uncertainty
The Kelp exploit on 18 Apr drained approximately $292mn from the protocol via compromised LayerZero verifier nodes, with stolen rsETH used as collateral on Aave to generate bad debt of between $177mn and $196mn.
The attack triggered nearly $6bn in withdrawals from Aave and sent the AAVE token down almost 20%.
The completion of the hacker position liquidations and the strong Arbitrum governance signal together represent the most concrete progress since the incident, though the outcome of the US court proceedings remains a material variable in the timeline for user restitution.
