DeFi United Raises $303 Million in ETH to Cover Kelp DAO $290 Million Exploit

A $292 million exploit of Kelp DAO on April 18, 2026 triggered a rapid crisis across decentralized lending markets, with the stolen value tied to Kelp DAO’s rsETH bridge and its cross-chain messaging.

Decrypt described how DeFi United raised “132.650 Ethereum (ETH)” valued at “approximately $303 millones” to cover the “hackeo de $290 millones de Kelp DAO,” linking the rescue to the “exploit de $290 millones” and the April 18 theft of rsETH.

@coindesk

PortalCripto said the attacker forged a message through LayerZero’s inter-chain messaging layer, prompting the Kelp DAO bridge to release “116,500 rsETH” to an address controlled by the attacker, and it reported that the stolen volume represented “roughly 18% of the total rsETH tokens in circulation.”

Whalesbook framed the incident as a “$292 million exploit of Kelp DAO” that targeted “Kelp DAO's cross-chain bridge” and exploited a vulnerability in its “LayerZero OFT bridge,” allowing an attacker to create “unbacked rsETH tokens on Ethereum.”

Coin Academy similarly tied the exploit to April 18 and said an attacker “forging a legitimate-looking message” released “116,500 rsETH without collateral,” creating “uncollateralized tokens valued at an estimated $300 million.”

PortalCripto reported that the attacker used the compromised rsETH as collateral to borrow wrapped ETH, accumulating “debt of more than $236 million,” while Whalesbook said the ripple effect included outflows from Aave and a collapse in total value locked.

Decrypt added that “Desde que los fondos sin respaldo fueron saqueados, la liquidez de Aave ha estado bajo presión,” describing a liquidity squeeze that shook confidence in DeFi broadly.

Multiple reports described how the Kelp DAO hack translated into systemic pressure by turning the stolen rsETH into collateral inside major lending protocols.

Whalesbook said the exploit “allowed an attacker to create unbacked rsETH tokens on Ethereum,” after which “the rsETH token then lost its value, causing a ripple effect across DeFi,” and it quantified the lending-market impact by stating that “$8.45 billion left the Aave protocol in two days,” shrinking Aave’s “Total Value Locked (TVL) from $26.4 billion to $17.9 billion.”

@coindesk

Coin Academy described the same mechanism in operational terms, saying the compromised tokens “were spread across multiple wallets and massively deployed on DeFi protocols, notably as collateral on Aave and other lending platforms,” and it warned that “This diffusion turned a localized exploit into systemic risk for the entire decentralized lending markets.”

PortalCripto added that after the theft, the stolen assets were injected into lending platforms including “Aave V3, Compound V3, and Euler,” and it stated that the attacker borrowed “wrapped ETH (WETH)” and generated “debt of more than $236 million.”

Decrypt connected the liquidity stress to the fact that the funds were “sin respaldo,” stating that “la liquidez de Aave ha estado bajo presión,” and it also linked the rescue effort to restoring rsETH after attackers “robaron y utilizaron para pedir prestadas enormes cantidades de Aave el 18 de abril.”

Whalesbook further argued that the breach exposed a “significant gap between decentralized finance's (DeFi) fast innovation and the risk management standards required by traditional finance (TradFi),” and it described the incident as part of a broader pattern, noting “47 DeFi attacks have occurred in the first four months of 2026.”

Coin Academy’s account emphasized the continuing operational blockage, saying “107,000 fictitious rsETH remain trapped in active positions on Aave and Compound as collateral for illegitimate loans,” and it warned that “Without coordinated intervention, the chaotic collapse of these positions could trigger cascading liquidations across the entire DeFi ecosystem.”

Even as the industry tried to contain the fallout, PortalCripto reported that Aave froze rsETH markets on “the V3 and V4 platforms,” preventing “any new deposits and any borrowing operations backed by this token,” underscoring how quickly the breach forced protocol-level emergency responses.

The response to the Kelp DAO hack centered on coordinated rescues and governance actions to unfreeze or redeploy ETH tied to the attacker’s exposure.

Decrypt reported that DeFi United, “impulsada por el fundador y CEO de Aave, Stani Kulechov,” raised “132.650 ETH” and said Consensys contributed “30.000 ETH,” while it also described Tron founder Justin Sun claiming “Tron DAO y el exchange de criptomonedas HTX han suministrado $20 millones en la stablecoin USDT de Tether en la plataforma de Aave.”

CriptoNoticias said LayerZero would donate “5,000 ETH” to DeFi United and allocate another “5,000 ETH” to reinforce liquidity in Aave markets, with the company saying it would allocate “more than 10,000 ether (ETH)” worth about “$23.36 million” at current prices, and it described coordination with “Aave, EtherFi, Ethena, Arbitrum and Kelp DAO.”

For governance, bloomingbit reported that on “May 1” Aave Labs, Kelp DAO, LayerZero, Ether.fi and Compound submitted a joint proposal asking Arbitrum governance to release “30,765 ETH, worth about $71 million,” which had been frozen by Arbitrum’s “Security Council,” and it stated that “All 34.2 million ARB cast so far have supported the proposal.”

CryptoRank similarly said Arbitrum governance was considering a proposal to unlock “30,765 ETH, valued at approximately $71 million,” and it described the proposal as intended to unfreeze funds and redirect them toward restoring the protocol’s stability.

Invezz described Arbitrum freezing “30,766 ETH” from a direction linked to the attacker and said the funds “remain bloqueados a menos que la gobernanza apruebe pasos adicionales,” while it quoted an Arbitrum statement that “El Consejo de Seguridad actuó con aportes de las fuerzas de seguridad” and “sin afectar a ningún usuario o aplicación de Arbitrum.”

Coin Academy’s account added that DeFi United’s plan included phased re-collateralization, stating that the coalition “says it has already secured enough ETH to fully re-collateralize rsETH,” and it described a strategy to “inject this ETH in successive phases” while intervening directly on positions opened by the attacker on Aave.

Together, these reports show a dual track: funding pledges to restore backing and governance votes to determine whether frozen assets can be released.

As the rescue efforts moved forward, multiple outlets quoted security and industry figures arguing that DeFi must raise its baseline defenses after the Kelp DAO hack.

CoinDesk quoted Paul Vijender, head of security at Gauntlet, saying, “Systems are only as secure as their weakest links,” and it also quoted Evgeny Gokhberg, founder of Re7 Capital, arguing that the industry needs to treat safeguards as baseline requirements, saying, “The industry needs to treat them as baseline requirements, not best practice.”

@coindesk

CoinDesk also included a view from Nick Cherney, head of innovation at Janus Henderson, who described the incident as “This is a speed bump for sure, but not a roadblock,” and it quoted Bhaji Illuminati, CEO of Centrifuge Labs, saying, “The goal is to make trust explicit and verifiable.”

Whalesbook similarly quoted Paul Vijender and Evgeny Gokhberg by name, stating that “Systems are only as secure as their weakest links.” and that “strict multi-signature controls and strong bridge safeguards should be baseline requirements, not just optional best practices,” while it also attributed a statement to Bhaji Illuminati that for institutional capital to grow, DeFi needs “clear ownership, reliable smart contracts, and liquid markets that can withstand pressure,” making trust “explicit and verifiable.”

Decrypt’s framing emphasized the governance uncertainty around the rescue, stating that “el rescate depende de votaciones de gobernanza pendientes,” and it described how DeFi United’s plan “no está garantizado” because it depends on token holders across multiple projects.

Cryptonews.net added a different kind of voice from within the community, quoting Guillermo (@GuillermoElor) saying, “I think we will never be calm with DeFi again,” and it quoted an investor known as Néstor (@lodelascripto) saying, “you can never feel at ease.”

Even as these reactions varied, the security prescriptions converged on bridge safeguards, multi-signature controls, and governance mechanisms, with CoinDesk emphasizing “zero-trust architectures” and “timelocks on key governance actions” as part of what must change.

Across the reports, the hack’s scale and the speed of market disruption were used to justify a shift toward more adversarial-ready designs and more explicit trust assumptions.

The next phase of the Kelp DAO fallout depends on whether governance unfreezes ETH and whether the coalition can unwind the attacker-linked positions without triggering further contagion.

DeFi United’s plan, as described by Coin Academy, aims to “fully re-collateralize rsETH” and to “inject this ETH in successive phases,” while it also intends to “intervene directly on the positions opened by the attacker on Aave rather than letting these loans fail naturally.”

AMBCrypto

Decrypt described a governance bottleneck, stating that “el rescate depende de votaciones de gobernanza pendientes” across projects such as “Mantle” and “Lido,” and it said a proposal to contribute frozen Arbitrum-related funds could take “aproximadamente 49 días.”

For Arbitrum specifically, bloomingbit reported that the vote to release “30,765 ETH, worth about $71 million” was scheduled to end on “Thursday,” and it said the unfrozen funds would be moved to a “multisignature wallet” with “Aave Labs, Kelp DAO, Certora and Ether.fi serving as signers.”

CryptoRank echoed the same “30,765 ETH” figure and framed the unlock as “urgent Kelp DAO recovery,” while Invezz said the funds would remain blocked “a menos que la gobernanza apruebe pasos adicionales.”

Beyond governance, PortalCripto described ongoing protocol containment measures, including Aave freezing rsETH markets on “V3 and V4,” and it reported that other protocols took precautions such as pausing deposits or shutting down LayerZero bridges, including Ethena’s temporary shutdown of LayerZero bridges on “the main Ethereum network.”

Whalesbook added a broader market lens, saying DeFi’s TVL fell “from roughly $99 billion to $85 billion in just 48 hours,” and it described the incident as part of a continuing security trend with “47 DeFi attacks” in the first four months of 2026.

Decrypt also tied the rescue to restoring rsETH and said DeFi United planned to use funds to “restaurar rsETH,” referencing that attackers “robaron y utilizaron” the token to borrow from Aave on April 18.