Hackers unleashed chaos on DeFi last week, compromising admin access of KelpDAO’s LayerZero-powered bridge to open a multi-hundred-million-dollar hole in Aave, the crypto industry’s onchain lending market lynchpin.
Aave lenders rushed for the exits in the immediate aftermath of the attack, spiking utilization rates to 100% in many critical markets, effectively draining all available liquidity and preventing users from making further withdrawals. While fears for industry-wide contagion loomed large in the days that followed, those concerns have since abated, with a donation campaign securing over $300M to backstop the shortfall.
Today, let's take a look at where the exploit recovery effort sits right now.
Although the early days that followed the KelpDAO exploit were indeed dark, with only $56M in WETH deposits stored in Aave’s staking module reserved against hundreds of millions of dollars in bad debt, the rsETH hole appears to have been plugged.
The first major windfall came last Tuesday, when the Arbitrum Security Council intervened and froze 30,766 ETH (~$70M) related to the exploit that sat idle on its Layer 2 blockchain.
This bounty of seized assets represents the largest individual contribution that could go toward patching the KelpDAO exploit, but despite its significance, the timeline for recovery remains a tad uncertain.
Moving these funds requires Arbitrum governance to approve a “Constitutional API,” which mandates: a week of forum discussion, an optional one-week temperature check, a three-day voting delay, a 14- to 16-day onchain vote, an eight-day L2 waiting period, an L2-to-L1 message finalization step of typically at least a week, and a final three-day L1 wait before execution.
Although there is an ongoing attempt to circumvent these arduous standards for proposal passage, Arbitrum’s current rules as written entail an estimated 49-day recovery timeline.
Furthermore, even though these funds are the rightful property of KelpDAO exploit victims, they could easily become encumbered by legal challenges. Regulators or law enforcement agencies may seek court-ordered freezes that coerce Arbitrum’s Security Council into keeping the stolen assets immobilized, indefinitely delaying recovery.
Aave risk management group TokenLogic estimates that an additional 14,168 WETH can be recovered by liquidating the exploiter’s positions across Aave and Compound, leaving a residual funding gap of ~75k WETH.
However, much like frozen funds on Arbitrum, the exploiter’s positions on Aave and Compound could become the subject of legal challenge, complicating and prolonging the recovery process.