Kelp DAO has finished its rsETH recovery plan, closing a chapter on a $292 million exploit that shook the liquid restaking space. The protocol, alongside Aave, refilled roughly 116,000 rsETH tokens to make affected users whole.
The $292 Million Breach
The exploit targeted a vulnerability in Kelp’s smart contracts. Attackers drained a massive pool of rsETH, a token representing restaked ether. The incident sent shockwaves through DeFi, highlighting risks tied to complex staking protocols.
Kelp moved fast. Within days, it announced a recovery plan. Aave, a major lending platform, stepped in to help plug the hole. Together, they sourced and returned nearly all of the stolen tokens.
How the Refill Worked
The refill involved transferring 116,000 rsETH back to the protocol’s reserves. Aave contributed a significant portion. Kelp handled the rest. The process took weeks, but the team confirmed completion today.
Users who lost rsETH in the exploit can now access their funds. The recovery didn’t rely on minting new tokens. Instead, it used existing reserves and contributions from partners.
That matters. Minting new tokens would have diluted existing holders. The chosen approach kept the supply stable.
What Happens Next
Kelp has not announced security upgrades. The exploit’s root cause remains under internal review. For now, the focus is on restoring trust.
The DeFi community watches closely. Liquid restaking protocols hold billions in user deposits. A single flaw can trigger a cascade of losses.
The recovery is done. But the questions around smart contract safety aren’t going away.
