Aave Normalizes WETH Lending Market and Completes LTV Recovery Following Kelp DAO rsETH Hack

On May 18, 2026, DeFi lending protocol Aave officially resumed WETH lending operations across its V3 instances. This marks the final stage of intensive recovery work following the $292 million Kelp DAO rsETH hack that occurred last April. To protect the protocol's health, Aave has concluded the emergency freeze and phased liquidation procedures maintained for a month and normalized market parameters.

The unfreezing of WETH and the restoration of LTV is a decision to lift the precautionary safety measures applied at the time of the exploit on April 18, 2026, and to restore market functionality.

Following this measure, the WETH freeze on Layer 2 (L2) networks has been lifted, and the Loan-to-Value (LTV) ratio, which had been set to 0, has been restored to previous levels. Aave governance decided to prioritize the normalization of WETH lending—a core component of market liquidity—to improve capital efficiency for users, while maintaining the freeze on rsETH and wrsETH reserve assets.

The Kelp DAO Bridge Exploit on April 18

The incident originated from a hack of approximately $292 million (116,500 rsETH) on Kelp DAO's LayerZero bridge on April 18, 2026. According to analysis by Chainalysis, the attack is suspected to be the work of North Korea's Lazarus Group and was a sophisticated attack targeting off-chain infrastructure rather than smart contract vulnerabilities. The attackers took control of internal RPC nodes and launched Distributed Denial of Service (DDoS) attacks on external nodes to inject manipulated data.

• ['Damage scale: Approximately 116,500 rsETH worth about $292 million', 'Target: Kelp DAO's LayerZero Omnichain Fungible Token (OFT) bridge', 'Attacker: Lazarus Group (estimated), a North Korea-linked hacking organization', 'Attack method: Off-chain RPC node attack and data manipulation']

Immediately after the hack, Aave implemented immediate freezing measures for WETH, rsETH, and wrsETH assets. According to research by Galaxy, during the freezing period, the WETH utilization rate structurally remained near 100%, experiencing an extreme liquidity crunch. This urgent situation gradually eased as recovery efforts progressed, and by mid-May, the utilization rate dropped slightly to 98.47%, laying the foundation for normalization.

On May 6, Aave entered the second phase of its recovery plan by liquidating all eight V3 positions on Ethereum and Arbitrum linked to the attacker. Subsequently, on May 10, it accelerated its efforts to restore market confidence by disclosing details of the technical execution plan for rsETH recovery. In this process, Aave focused on minimizing potential losses to the protocol through the freezing and liquidation of the attacker's assets.

Ecosystem Cooperation and Establishment of Financial Backstop

Full support from ecosystem partners also played a key role in the recovery process. On May 8, 2026, Mantle token holders approved the provision of a 30,000 ETH credit line to support Aave's recovery. Additionally, Aave prioritized user asset protection by pursuing a $71 million ETH repayment plan that temporarily uses separate borrowed funds to cover shortfalls occurring during legal proceedings.

Kelp DAO is implementing a plan to burn unbacked rsETH tokens to restore the collateral value of rsETH. This is an essential measure to normalize the protocol's collateral ratio and resume suspended withdrawal functions. As of May 15, 2026, Kelp DAO is reported to have entered the final stages of stabilizing the value of rsETH and normalizing bridge operations through token burning.

In the future, Aave and Kelp DAO plan to officially return restricted ETH assets to users and respond to ongoing litigation in U.S. courts regarding the frozen funds. This incident once again highlighted the security risks of cross-chain infrastructure within the DeFi ecosystem and suggests the importance of establishing close cooperation frameworks between protocols to prevent similar accidents in the future.