117,132 rsETH burned on Arbitrum after LayerZero-linked exploit

Liquid restaking tokens are supposed to be boring collateral. That was the pitch. You park ETH, get a wrapped version back, and use that token across DeFi. But when the bridge logic behind that token breaks, the damage spreads fast. That is what happened to rsETH in April — and on May 12, Kelp DAO and Aave took the first big cleanup step by burning 117,132 exploiter-held rsETH on Arbitrum and starting a staged refill of the token’s backing. ### What actually broke? The failure was not inside Aave itself. It started on April 18 in Kelp’s LayerZero V2 route from Unichain to Ethereum, where the rsETH path had been configured with a 1-of-1 DVN, or decentralized verifier network. In plain English, one attestation was enough to bless a cross-chain message. The attacker forged an inbound packet that looked valid, even though there was no matching burn on the source chain, and that released 116,500 rsETH from the Ethereum-side adapter. (governance.aave.com) ### Why does a bridge bug hit Aave? Because rsETH was being used as collateral. Once unbacked rsETH existed, it could be posted into lending markets and borrowed against like it was real. That turns a token-accounting problem into a lending problem. Aave froze rsETH and wrsETH markets across deployments on April 18 to stop fresh deposits and borrows while teams figured out the blast radius. (governance.aave.com) ### Why burn tokens on Arbitrum? Because the exploit created supply that should not exist. Burning the attacker-linked rsETH on Arbitrum removes that excess from circulation and helps line token supply back up with real backing. Think of it like deleting counterfeit casino chips before reopening the tables — until the fake chips are gone, nobody can trust the count. (governance.aave.com) ### Why Arbitrum specifically? Part of the attacker’s proceeds ended up there in ETH. Arbitrum’s Security Council froze about 30,766 ETH tied to the exploit in April, moving it into an intermediary frozen wallet. That gave the recovery effort something rare in DeFi hacks — a meaningful pile of assets that could actually be preserved while governance and courts sorted out next steps. (cointelegraph.com) ### What changed this week? The liquidation step had already happened by May 7. Aave said the attacker’s rsETH positions on Ethereum and Arbitrum were liquidated in line with the recovery plan. Then Kelp said on May 12 that the exploiter’s 117,132 rsETH on Arbitrum had been burned, kicking off a two-week process to refill that amount into the LayerZero OFT adapter from recovery-controlled wallets. (governance.aave.com) ### Does that mean users are whole again? Not instantly. The refill is staged, not one-shot. Kelp said withdrawals converting rsETH to ETH should begin after the first refill tranche, with broader operations normalizing as contracts are progressively unlocked. So this is recovery plumbing, not a magic reset button. ### What did they change to stop a repeat? (governance.aave.com) The biggest fix is stricter message verification. Kelp said the security upgrade now requires four independent attestors and 64 block confirmations. That is the exact opposite of the old setup’s problem — no more single-check path where one bad verification can mint a huge amount of supposedly backed assets. (coinalertnews.com) ### Why does this matter beyond rsETH? Because it shows how fragile “composable” collateral can be. A bridge exploit in one protocol can ricochet into lending markets, DAO emergency votes, frozen assets, and even court orders. But it also shows something DeFi rarely proves cleanly in public — if assets are frozen fast enough and protocols coordinate, a large-scale recovery can move from theory to actual on-chain repair. (coincentral.com) The bottom line is simple. The burn on Arbitrum did not end the rsETH crisis, but it turned the story from containment into reconstruction. In DeFi, that is a real milestone. (governance.aave.com)