Aave and Compound Unveil Plan to Recover $246M Lost in Kelp DAO Hack

DeFi United Publishes Recovery Plan for rsETH Backing

Aave and Compound are advancing a plan to address the $246 million shortfall caused by the Kelp DAO hack. On Tuesday, DeFi United, a coalition of leading decentralized finance (DeFi) protocols, released a technical implementation to restore full backing for rsETH, the token exploited in the attack.

"DeFi United has secured sufficient ETH commitments to restore full backing," Aave stated in the outline. The plan aims to restore rsETH backing without socializing losses among protocol users.

How the Kelp DAO Hack Unfolded

On April 18, North Korean hackers stole $293 million from Kelp DAO by tricking the protocol into releasing unbacked rsETH tokens. The attackers then deposited some of these tokens as collateral on Aave and Compound, borrowing large amounts of Ether. This left the two protocols with a combined $246 million in bad debt.

If DeFi United’s plan succeeds, users of Aave and Compound whose assets were withdrawn by hackers using the dummy rsETH collateral will have their funds fully restored.

Restoring rsETH Backing: Step-by-Step

DeFi United will begin restoring rsETH’s backing by converting committed Ether into the asset in multiple tranches. This process will ensure that every rsETH token in circulation is once again fully collateralized by real Ether.

Simultaneously, the $246 million worth of rsETH still held in the hackers’ positions on Aave and Compound will be cleared through controlled liquidations. To facilitate this, the protocols will temporarily lower the oracle price of rsETH via governance votes, enabling the liquidations. Oracles, which are trusted data feeds, provide crypto asset prices on blockchains and are critical for assessing lending positions.

Potential Risks in the Recovery Plan

Aave has highlighted several risks associated with the recovery plan:

• Governance Dependence: Liquidating the hackers’ positions requires successful governance proposals on both Ethereum and Arbitrum, where some stolen funds were sent. These steps are subject to votes by the respective protocols’ DAOs.
• Attacker Interference: The hacker could attempt to disrupt the recovery process. "Deliberate interference by the attacker could result in incomplete deficit accrual, requiring additional liquidation steps to fully resolve the positions," Aave warned.

Next Steps: Execution in Coming Days

Aave Labs CEO Stani Kulechov announced on X (formerly Twitter) that the rsETH recovery process will begin in the coming days.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at [email protected].