Author: Sahil Thakur
By April 28, 2026, ten days after a forged LayerZero packet released 116,500 unbacked rsETH and ricocheted into Aave’s lending markets, a coalition called DeFi United had publicly stitched together more than 100,000 ETH in pledged support, frozen exploiter funds, and DAO proposals. It isn’t a fund in the traditional sense. It isn’t a charity. And by its own admission, it depends on actions outside its own control to actually work.
At the time of writing, more than $310M have been raised.
The official site at defiunited.eth describes the effort as a coordinated relief push led by Aave service providers, with one explicit goal: restore rsETH backing and normalize market conditions. The same page warns, in plain language, that the outcome depends on KelpDAO reopening withdrawals and Arbitrum governance releasing the 30,765 ETH it has frozen on-chain. That caveat is the whole story in miniature, and it’s the place to start.
Src: Defiunited
DeFi United is best understood as an ad hoc, ecosystem-wide recapitalization vehicle. It was created after the April 18, 2026 rsETH bridge incident as a coordination shell, not a single legal entity. There’s no DAO of its own, no charter, no token, no insurance pool sitting in escrow.
What sits behind the name is a stack of separate things glued together: direct donations into defiunited.eth, DAO proposals at Aave and other protocols, frozen exploiter funds awaiting governance approval, loans and credit lines, and auxiliary liquidity support for Aave and the GHO stablecoin. The official site is unusually honest about its own limits. It says DeFi United doesn’t control whether KelpDAO will reopen withdrawals, and it can’t unilaterally release the ETH the Arbitrum Security Council froze. Both of those need to happen for the rescue to land.
The DeFi United fund also isn’t a response to an Aave smart contract bug. Aave wasn’t hacked. The lending protocol’s role in this story is more uncomfortable: it accepted the unbacked rsETH that the attacker created, valued it as collateral, and let the attacker borrow real WETH and wstETH against it. That’s why a bridge exploit at KelpDAO turned into a balance-sheet problem at Aave, and why the recovery effort had to be Aave-led even though the original failure happened somewhere else.
The trigger was a single forged message. According to Aave’s co-authored incident report, an attacker exploited Kelp’s LayerZero V2 Unichain-to-Ethereum rsETH route at 17:35 UTC on April 18, 2026. The route had been configured as a 1-of-1 DVN path, meaning a single verifier was responsible for confirming cross-chain messages. The attacker submitted a forged inbound packet, and the Ethereum-side adapter released 116,500 rsETH without a corresponding burn on the source chain.
That’s the part that broke the bridge invariant. Kelp’s lock-and-mint design depended on the rsETH locked in the Ethereum adapter always being greater than or equal to the remote-chain minted supply. With the forged packet accepted, that math no longer held.
A second packet for another 40,000 rsETH made it through verification but reverted after Kelp froze the recipient. By the time the dust settled, only 40,373 rsETH remained as the confirmed adapter backing for 152,577 rsETH of remote-chain claims. The shortfall was roughly 112,000 rsETH.
The damage didn’t stop at the bridge. The attacker pushed 89,567 rsETH into Aave, used it as collateral, and borrowed 82,650 WETH and 821 wstETH against the position. Aave’s Guardian froze rsETH and wrsETH markets, then later froze WETH on several deployments and adjusted interest-rate parameters to reduce the incentive for additional borrowing. Aave service providers also paused AAVE buybacks from April 19 onward to keep treasury flexibility.
The bad debt question got messy fast. Aave’s risk team modeled a wide range depending on how losses were socialized: roughly $123.7 million if KelpDAO uniformly socialized losses across all rsETH holders, or roughly $230.1 million if losses were isolated to L2 rsETH on Mantle, Arbitrum, Base, and Ink. Both numbers are scenarios, not realized losses, and the actual outcome depends on KelpDAO’s policy choices and how much of the rescue stack converts into real capital.
LayerZero published its incident statement on April 19. It argued the protocol itself wasn’t broken, the issue was isolated to KelpDAO’s single-DVN configuration, and downstream RPC infrastructure used by LayerZero Labs’ DVN had been poisoned. KelpDAO pushed back. Its position is that the 1-of-1 DVN setup followed LayerZero’s own defaults and had been discussed as appropriate during the L2 expansion. Both framings are attributed positions, not adjudicated facts. The exploit happened at the seam between them.
According to DefiLlama, AAVE has lost nearly $8Billion in TVL after the KelpDao incident.
Src: DefiLlama
The coalition didn’t appear in one announcement. It accreted day by day, as one set of actors froze the bleeding and another set started raising the capital to repair the damage.
The freeze sequence came first. Aave Guardian froze rsETH and wrsETH on April 18, before most of the public was awake. LayerZero published its statement on April 19. Aave service providers released the detailed incident report on April 20. On April 21, the Arbitrum Security Council froze 30,765.6675 ETH tied to the exploiter, the largest identifiable recoverable bucket in the eventual rescue stack.
The capital-raising phase started two days later. Stani Kulechov, Aave’s founder, publicly pledged 5,000 ETH on April 23 and framed Aave as his life’s work. Ether.fi and Lido proposals appeared the same day. On April 24, the contribution address at defiunited.eth opened, support from Golem, Emilio Frangella, BGD Labs, and Ernesto was publicized, and the Aave DAO funding ARFC went live. April 25 brought an Arbitrum constitutional proposal to release the frozen 30,765.67 ETH into the recovery process.
By the end of the week, the coalition had widened well beyond Aave’s immediate orbit. Consensys and Joseph Lubin committed 30,000 ETH on April 27, the largest single private commitment publicly disclosed. LayerZero followed on April 28 with a 10,000 ETH package split between DeFi United and Aave market liquidity, and a technical implementation plan for restoring rsETH backing was made public the same day.
The arc below captures the dated, high-confidence sequence drawn from Aave governance, the Arbitrum forum, LayerZero’s official statement, and the public DeFi United tracker.
Key milestones related to the rsETH recovery effort
A forged inbound packet on a 1-of-1 DVN route releases 116,500 rsETH from the Ethereum adapter. Aave Guardian freezes rsETH and wrsETH, stopping further collateral expansion after the cross-chain backing invariant is broken.
LayerZero frames the issue as isolated to KelpDAO’s single-DVN configuration and notes that RPC nodes were replaced.
Aave publishes its incident report, modeling potential bad-debt scenarios ranging from $123.7 million to $230.1 million.
The freeze creates the largest single recoverable pool in the eventual rescue stack.
Stani pledges 5,000 ETH, while Ether.fi and Lido proposals surface, signaling that major LST stakeholders may contribute real principal to the recovery.
The emergency response becomes a named public coalition, with a contribution address launched and an Aave funding ARFC posted.
A governance proposal is filed to route frozen exploiter funds into the recovery process.
The largest publicly disclosed private commitment broadens the coalition beyond Aave-adjacent participants.
The accused infrastructure provider joins the rescue effort, making its participation part of the wider public debate around accountability and recovery.
The simplest way to think about DeFi United’s financing is as a layered stack, not a single donation pool. One layer is frozen exploiter funds, especially the 30,765.67 ETH immobilized on Arbitrum. Another is large DAO or corporate commitments that still require governance approval or execution. A third is named individual support from core ecosystem builders. A fourth is broad community donation flow into defiunited.eth.
That layering matters because the public conversation has at times been contradictory. Trackers can describe the headline target as reached while the official site still warns the outcome depends on future governance and technical work. Both are true. A pledged 30,000 ETH is not the same as 30,000 ETH in the contribution wallet. A frozen wallet is not the same as a released one. A facility offered as a credit line is not the same as a donation.
The table below separates disclosed commitments from execution status, as of late April 2026. The most important gap in the public record is that the official trackers don’t surface per-commitment on-chain transaction hashes for most large named supporters. Where an item is a governance proposal, a pledge, or a frozen-funds release request rather than an executed contribution, that’s labeled directly. The official collection address for community on-chain receipts is defiunited.eth at 0x0fCa5194...70effE68.
A few names showed up in the coalition with confirmed support but no public ETH-denominated number at the time of capture. Circle Ventures was reported as supporting the recovery by purchasing AAVE in the open market, which isn’t directly the same as a DeFi United contribution. Ethena, Ink Foundation with Tydro, and Frax Finance were all listed on the official site as confirmed but with the amount marked TBD. Compound Foundation proposed up to 3,000 ETH on April 27. Avalanche Foundation expressed support without a disclosed figure.
So when you read that DeFi United members have raised more than 100,000 ETH, the honest version is: that’s the sum of disclosed pledges, conditional facilities, and frozen funds awaiting governance, not the sum of unconditional, executed donations sitting at defiunited.eth ready to deploy. The headline is real. So is the gap between pledges and capital.
The honest answer depends on what “survive” means. If it means “complete its mission as an incident-specific recovery vehicle,” the answer is probably yes, but only if paper commitments convert into deployable capital and the technical unwind executes cleanly. If it means “become a durable institution that handles the next incident too,” the answer is much less clear.
Take the incident-specific case first. Public trackers said the recovery target had been reached in late April, but they qualified the claim by flagging pending votes, indicative agreements, and execution risk. The official DeFi United fund site warns explicitly that the result depends on external actions. That isn’t a hedge for legal cover. It’s the actual structure: the rescue requires KelpDAO to reopen withdrawals on a schedule that doesn’t crater the secondary market, Arbitrum governance to release the frozen 30,765 ETH, Aave DAO to ratify the 25,000 ETH commitment, and a half-dozen other proposals to clear their respective DAOs. Any one of those can stall.
The aggregate market damage during the same window gave a sense of how thin the margin was. Per DL News, AAVE fell about 10% in the 24 hours after the exploit, and a separate DL News piece reported users had pulled almost 25% of assets from Aave since the hack, with TVL dropping to a little over $34 billion. Aavescan, reported more than $10 billion left Aave after the attack. That’s the trust hit DeFi United is implicitly trying to reverse.
As a durable institution, DeFi United looks more fragile. Its capital stack is bespoke, its governance path is improvised, and its legitimacy comes from Aave’s systemic importance and the unusually visible nature of the rsETH shortfall. That makes it a powerful precedent. It doesn’t automatically make it a reusable permanent body. The next incident, with different victims, different infrastructure, and different politics, won’t have the same coordination advantages.
The most important analytical point about DeFi United is that it addresses a balance-sheet consequence, not a root cause. Even a perfectly executed rescue leaves three questions unanswered. Why was a high-value cross-chain bridge running on a 1-of-1 DVN by default? Why was a deeply wrapped, bridge-dependent LRT given high enough collateral parameters on Aave to mint nine figures of bad debt under a single forged message? And what enforces better behavior next time, given that the “lesson” arrived with a rescue attached?
LayerZero’s framing puts the issue at the application layer. The 1-of-1 DVN was KelpDAO’s choice, the protocol itself wasn’t broken, and the downstream RPC poisoning has been remediated. KelpDAO’s framing puts it back at the infrastructure layer. The configuration matched LayerZero’s own defaults, and was reviewed during expansion. Both can be partly true. The honest reading is that DeFi can’t keep using insecure or ambiguous defaults for high-value bridge routes and then expect lending markets to absorb the resulting asset-quality shock.
An Aave forum temp check after the incident argued the problem also belongs to Aave’s listing standards. That isn’t the official protocol verdict yet, but the logic is hard to dismiss: ETH became an LST, the LST became rsETH, rsETH got wrapped through a LayerZero OFT representation, the OFT became wrsETH on L2, and the L2 wrsETH still carried very generous loan-to-value parameters. Composability compounds hidden risk. DeFi United may save users from the consequences of that design choice this time. It doesn’t prove the choice was sound.
The durable fix sits in protocol design, not philanthropy. Stricter multi-verifier requirements on bridge routes. Clearer default-security standards from infrastructure providers. Tighter collateral frameworks for bridge-dependent and multi-wrapped assets. Active backing and nonce monitoring with circuit breakers that kick in before nine figures of borrowing happens off a single forged message. And, eventually, ex ante capital or insurance requirements for protocols that want the benefits of being systemically important.
So here’s where this lands. DeFi United is the most credible test yet of whether DeFi can self-organize a lender-of-last-resort response without a state backstop or a centralized equity recap. If it succeeds, it shows the space can do something genuinely new in public: publish exposures, freeze markets, mobilize treasuries, route recovered funds, and restore backing without anyone writing a check from outside. That’s worth cheering. It’s also worth keeping in mind that a successful rescue makes the underlying reforms easier to defer. Cheer the coordination. Demand the structural fixes. The two aren’t in tension, and the next exploit will pick whichever one we forgot to do.
DeFi United Explained: Inside The Aave-Led rsETH Recovery Fund
20 Airdrops That Could Print On Solana
Kaspa Roadmap 2026-2027: Every Upgrade, and What It Means
What Sam Bankman-Fried Investments Are Actually Worth Now
DeFi United Explained: Inside The Aave-Led rsETH Recovery Fund
20 Airdrops That Could Print On Solana
Kaspa Roadmap 2026-2027: Every Upgrade, and What It Means
What Sam Bankman-Fried Investments Are Actually Worth Now
