Six days after a North Korean hacking group blew a $258 million hole in DeFi’s largest lending market, the rescue operation to plug it is working.
Not through a government bailout. Not through an emergency Fed window. Through competitors writing checks for each other’s users.
The initiative, dubbed “DeFi United,” has already pulled together over $207 million in committed funds, frozen assets, and recovered tokens. The remaining $50 million gap? Between Aave’s own $180 million treasury, its $56 million Umbrella insurance fund, and additional pledges still being finalized from Ethena and LayerZero, the math says this ends with every depositor made whole.
Here’s how we got here – and why it matters more than the exploit itself.
The Attack
On April 18, an attacker exploited a vulnerability in LayerZero’s cross-chain messaging system to mint approximately 116,500 unbacked rsETH tokens through KelpDAO’s bridge. The attacker then deposited around 90,000 of those tokens into Aave as collateral and borrowed roughly $190 million in ETH and other assets against them.
Total damage: approximately $292 million. The fallout triggered $10 billion in withdrawals from Aave as users scrambled for the exits.
Blockchain investigators have since attributed the attack to the Lazarus Group, the North Korean state-sponsored hacking unit responsible for the $625 million Ronin Bridge hack in 2022 and the $1.5 billion Bybit exploit in early 2025. This wasn’t a smart contract bug or a governance failure. This was a nation-state offensive operation targeting DeFi infrastructure.
That distinction matters. The code didn’t fail because it was poorly written. It was breached by one of the most sophisticated hacking operations on the planet.
The Response
Within 48 hours of the exploit, Aave founder and CEO Stani Kulechov launched DeFi United – an open call to the industry to contribute toward covering the bad debt.
Then he put his own money where his mouth was: 5,000 ETH from his personal holdings.
“Aave is my life’s work and we’re working nonstop to find the best possible outcome for users,” Kulechov said.
What happened next was new. Protocols that compete directly with Aave for deposits and market share started stepping up – not because they had to, but because the alternative was letting the largest lending protocol in DeFi bleed out and take confidence in the entire sector with it.
Who’s In
Here’s the current scorecard of confirmed contributions:
| Contributor | Amount | Type |
|---|---|---|
| Arbitrum Security Council | 30,766 ETH (~$71M) | Frozen from exploiter via emergency governance |
| Mantle (backed by Bybit) | 30,000 ETH (~$69M) | Loan at 1% APR, proposed via governance |
| rsETH Recovered | ~$35M | Recovered tokens |
| EtherFi Foundation | 5,000 ETH (~$11.5M) | DAO treasury allocation (governance-approved) |
| Stani Kulechov | 5,000 ETH (~$11.5M) | Personal funds |
| Lido Finance | 2,500 stETH (~$5.7M) | Lido Labs Foundation treasury |
| Golem Foundation + Golem Factory | 1,000 ETH (~$2.3M) | Combined treasury contribution |
| Ethena | TBD | Confirmed, amount pending |
| LayerZero | TBD | Confirmed, amount pending |
| Tydro + Ink Foundation | TBD | Confirmed |
| Total committed/frozen/recovered |
The shortfall stands at roughly 112,204 rsETH, valued at approximately $258 million. With $207 million already accounted for, the remaining gap is around $50 million – and both Ethena and LayerZero have confirmed participation without disclosing final amounts.
LayerZero, whose messaging infrastructure was the attack vector, acknowledged its role directly: “As part of an industry-wide recovery initiative, LayerZero’s proposed contribution would go towards the best path forward to restoring rsETH backing.”
The Math Works
Even if no additional external contributions materialized, Aave could likely cover the remaining gap internally:
- Aave treasury: $180M in assets
- Umbrella insurance fund: ~$56M
- External commitments + recoveries: ~$207M
That’s $443 million in total available resources against a $258 million shortfall. The bad debt is coverable – several times over, depending on how treasury assets are valued and deployed.
The real question was never whether Aave could survive. It was whether the broader DeFi system would let Aave shoulder the burden alone, or show up.
They showed up.
Why This Matters
Take a step back and look at what actually happened here.
Lido Finance, which competes with Aave for ETH staking deposits, sent $5.7 million. EtherFi, a direct competitor in the liquid restaking market, committed $11.5 million through a governance vote. Mantle, backed by Bybit, offered a $69 million loan at just 1% interest. The Arbitrum Security Council invoked emergency powers to freeze $71 million in stolen funds – a rare use of chain-level governance authority that signals how seriously L2s take cross-system threats.
None of these protocols owed Aave anything. Several of them benefit commercially when Aave struggles. They contributed anyway.
This is what DeFi’s critics said couldn’t happen. The standard line from traditional finance has always been that decentralized systems lack the institutional backstop to handle a real crisis. No lender of last resort, no FDIC, no central bank standing behind the system.
DeFi United is the counterargument, written in on-chain transactions. A dozen independent organizations, some of them direct competitors, coordinated a $207 million rescue in less than a week. No regulator forced them. No law required it. The incentive was simpler: if Aave’s users lose faith in DeFi lending, everyone loses.
What Comes Next
The Lazarus Group attribution adds a new dimension to the recovery conversation. This was state-sponsored theft, not a protocol design flaw. That changes the framing from “DeFi is broken” to “DeFi got hit by the same group that has stolen billions from centralized exchanges and still managed to organize a response faster than most banks could schedule a board meeting.”
Several things are still in motion. Ethena and LayerZero haven’t disclosed final amounts. Law enforcement and on-chain forensics teams are tracking the stolen funds across multiple chains. The Arbitrum freeze covers $71 million, and additional clawback efforts may recover more.
But the trajectory is clear. Six days after the worst exploit to hit a major lending protocol in DeFi history, the community response has already covered 80% of the shortfall. The remaining gap is well within reach of committed resources.
Stani Kulechov pledged his own ETH. Competitors sent millions from their treasuries. A Layer 2 security council froze tens of millions in stolen assets using emergency governance. And the math – cold, verifiable, on-chain math – shows the hole can be filled.
DeFi didn’t need a bailout. It built its own.
Disclosure: CryptoGazette holds no positions in AAVE, rsETH, or any tokens mentioned in this article. This is journalism, not financial advice.
