The leading lending protocol Aave has liquidated the remaining positions of hacker Kelp in rsETH as part of the approved recovery plan.
In line with the technical plan outlined below, the attacker’s rsETH positions on Aave have been liquidated on Ethereum and Arbitrum. The liquidated collateral now sits with the Recovery Guardian as specified in the AIP.
No other users were affected, and Umbrella was also… https://t.co/GQxroGuME0
— Aave (@aave) May 6, 2026
The funds obtained are transferred to a special multi-signature wallet managed by the DeFi United fund. The assets are used to restore rsETH collateral and compensate affected users.
How the Liquidation Occurred
The attacker’s positions were placed in Aave versions on Ethereum and Arbitrum. Community approval was required for their liquidation: over 90% of users supported the decision.
Thanks to the 1,600+ addresses representing over 190 million ARB tokens who have voted on unfreezing the ETH related to the April 18 rsETH incident, currently held by the Arbitrum DAO.
Reaching quorum with a strong show of approval from delegates and the Arbitrum community is a… pic.twitter.com/mhIHH7iZ89
— Aave (@aave) May 6, 2026
The DAO temporarily altered the rsETH oracle price to create a shortfall in the attacker’s position, and after the procedure was completed, parameters were returned to their original values.
The Battle for 30,000 ETH
At the time of publication, the DeFi United initiative had attracted over $320 million from industry participants and users. The largest contribution came from the L2 network Arbitrum, which froze 30,766 ETH following the attack.
In early May, the project’s DAO initiated a vote on transferring these funds to the fund. This move is supported by 90.5% of the community.
The final decision was expected on May 7, but a New York court prohibited Arbitrum from disposing of the frozen coins. They are claimed by victims of North Korean terrorists, affected during the 2015 abductions.
Aave called the court’s logic legally unsound and demanded the lifting of restrictions. The plaintiffs’ lawyers questioned the project’s right to challenge the freeze.
Earlier on May 7, hackers attacked market maker TrustedVolumes and stole $6 million. This was the fifth breach since the beginning of the month.