Aave has unwound the KelpDAO attacker's leveraged rsETH positions on Ethereum and Arbitrum, closing out collateral that was tied to the recent $71 million bad debt episode. Galaxy Digital's Thaddeus Pinakiewicz posted that the protocol is now roughly 10% short of full recovery, a sharp reversal from the worst-case framing that surrounded the incident a week ago.
The liquidations matter because the hacker had used rsETH as collateral to borrow ETH and stablecoins. Until rsETH could be priced and unwound on-chain, the loan sat as bad debt that the Aave safety module would otherwise have to absorb. With the collateral now sold into the market, most of that exposure converts back into recoverable value.
Liquidation bots clear the rsETH collateral
Aave governance moved quickly after the KelpDAO exploit, freezing rsETH markets and adjusting risk parameters so the hacker could not pile on more leverage. Liquidation bots then worked through the positions on both Ethereum and Arbitrum as price feeds normalized. The result, according to Pinakiewicz, is that recovered collateral covers about 90% of the original shortfall.
The remaining 10% gap is the part the market is now watching. Aave can absorb it via its safety module, which was designed precisely for this scenario, or close the gap through a parallel legal track that is already in motion. A separate court filing covered earlier this week saw Aave push back against a $71M crypto seizure tied to North Korea claims, arguing that the funds it pulled in were the protocol's recovered collateral, not the attacker's proceeds.
A different outcome than the headline suggested
A week ago, the dominant framing was that DPRK-linked actors had drained KelpDAO and dumped the borrow on Aave. The reality has been more orderly. Aave's risk parameters held, the freeze did its job, and on-chain liquidations executed without cascading into the broader DeFi market. ETH was at $2,333, down 1.3% over 24 hours as of May 7, 2026, with the Fear & Greed index at a neutral 50, suggesting the market never fully priced in a worst-case Aave outcome.
That contrasts with the still-unresolved Drift recovery plan, where users are waiting on a slower socialized loss process. The two incidents are useful side by side: same threat actor profile, two very different protocol responses, two very different recovery curves.
The remaining 10% question
Closing the last sliver of bad debt is partly a market problem and partly a legal one. On the market side, Aave can let liquidation incentives keep grinding through residual positions or top up via the safety module. On the legal side, the OFAC-linked claims that prompted this week's seizure dispute are still active. If Aave wins that fight, recovered funds offset what is left. If it loses, the safety module shoulders more of the gap.
For depositors, the practical signal is that the protocol's first line of defense, on-chain liquidations against live collateral, did most of the work without external intervention. That is the design assumption of money market lending, and it held in a hostile case.
Signal for DeFi lending risk controls
DeFi lending continues to grow. Aave booked $1B in 19 days earlier this month as TVL hit fresh highs across the sector, and the protocol just lifted its GHO borrow cap to 150M on the core instance. A clean walk-back from a high-profile bad debt event is the kind of evidence institutional allocators look for before scaling exposure.
The KelpDAO unwind also reinforces a point that often gets lost in liquid restaking debates: a restaked asset is only as safe as the lending market that accepts it as collateral, and only as recoverable as the liquidation infrastructure underneath. Aave's parameters, oracle feeds, and freeze authority were the difference between a $71M loss and a $7M loss.
Overview
Aave has liquidated the KelpDAO attacker's rsETH positions on Ethereum and Arbitrum, recovering roughly 90% of the bad debt left behind by the original $71M exploit. About 10% remains, with the gap to be closed either through residual liquidations, the safety module, or the protocol's parallel court fight over the seizure of recovered funds. The episode is a clean test case for DeFi lending risk controls, and the controls held.
