Five Major DeFi Protocols Ask Arbitrum DAO to Free 30,765 ETH Locked After rsETH Bridge Bug

Key Takeaways:

• Aave Labs, KelpDAO, and three other protocols filed a Constitutional AIP on April 25 to release 30,765.67 ETH frozen by Arbitrum’s Security Council.
• The KelpDAO bridge exploit created an rsETH backing shortfall of approximately 76,127 rsETH, directly affecting Aave V3 Arbitrum users.
• If Arbitrum DAO approves the vote, the 49-day governance process will route recovered ETH to a 2-of-3 Gnosis Safe for rsETH remediation.

DeFi Coalition Targets Arbitrum DAO to Unlock ETH Frozen in KelpDAO rsETH Exploit

The proposal was authored by Aave Labs, KelpDAO, Layerzero, Etherfi, and Compound. It asks Arbitrum DAO to send the frozen ETH to a designated 2-of-3 Gnosis Safe controlled by signers from Aave, KelpDAO, and Certora. The recovery address is 0xf228130ce4fAB082C7D5522c90833cec83A9C15e.

The Arbitrum Security Council froze 30,765.667501709008927568 ETH on April 21. The council moved those funds to 0x0000000000000000000000000000000000000DA0 and made clear that a governance vote would be required before they could move again.

The exploit originated from a bridge vulnerability in the KelpDAO rsETH system. According to a Llamarisk incident report, the KelpDAO rsETH Unichain-to-Ethereum bridge released 116,500 rsETH on Ethereum without a corresponding source-side burn, breaking the core bridge invariant that Ethereum-side locked rsETH should cover remote-chain minted supply.

At the time of the report, only 40,373 rsETH remained in the adapter as confirmed backing for 152,577 rsETH in remote-chain claims. The resulting backing shortfall sits at approximately 76,127 rsETH.

During the exploit, the attacker supplied 89,567 rsETH to Aave across its Ethereum Core and Arbitrum markets and borrowed 82,650 WETH plus 821 wstETH against those positions. Authors of the proposal were explicit: Aave’s smart contracts were not compromised. The incident originated outside the protocol.

The 30,765.67 ETH held on Arbitrum represents a material contribution toward closing that shortfall. The proposal states that every unit of ETH returned to the recovery effort narrows the backing gap and moves rsETH closer to full collateralization.

If governance approves the release, the funds will be used solely to remediate losses arising from the exploit. If the coordinated recovery does not proceed as planned, the parties have committed to return to Arbitrum Governance for further direction.

The proposal timeline estimates approximately 49 days from forum publication to execution. That includes a one-week forum discussion, a one-week temperature check, a three-day voting delay, a 14-day onchain vote, an eight-day L2 waiting period, a one-week L2-to-L1 message finalization window, and a final three-day L1 waiting period.

No new treasury allocation is requested. The proposal asks only for the release of funds already frozen on Arbitrum One. The direct budgetary cost to the Arbitrum DAO is expected to be zero outside of standard governance execution overhead.

Aave Labs included a full indemnification commitment in the proposal. The firm agreed to indemnify the Arbitrum Foundation, Offchain Labs, the Arbitrum Security Council, and each of its members against any claims arising from the freeze, the release, or any related enforcement action.

A Snapshot temperature check may be conducted before the proposal moves onchain. If it advances, the onchain vote will be submitted through Tally and target the Arbitrum Core governor as a Constitutional AIP.

The authors stated the outcome for Arbitrum users is better than leaving the funds frozen, whether the recovery is full or partial.