Simple Summary

As part of the Defi United recovery effort and technical plan, this proposal executes liquidations against the identified rsETH attacker’s positions on Aave V3 Ethereum Core and Aave V3 Arbitrum, subject to each position being eligible for liquidation at execution time.

The proposal is intended to reduce outstanding bad debt risk, recover available rsETH collateral through normal Aave liquidation mechanics, and route any recovered value according to the DAO-approved rsETH incident recovery process.

Motivation

On April 18, 2026, an external incident affecting Kelp’s LayerZero V2 Unichain–Ethereum rsETH route released 116,500 rsETH from the Ethereum-side OFT adapter to the attacker without a corresponding burn on the source chain. The incident was external to Aave. Aave’s smart contracts, oracles, repayment, and liquidation logic continued to function as designed. However, the attacker supplied 89,567 rsETH into Aave V3 and borrowed WETH and wstETH across Ethereum Core and Arbitrum markets.

These positions introduce direct protocol exposure backed by compromised rsETH. As rsETH accounting, backing, and redemption depend on external parties (Kelp, LayerZero, and others), the DAO should leverage protocol mechanisms to reduce risk. Executing standard Aave V3 liquidations on the attacker positions is the most straightforward path to recover rsETH collateral and contain bad debt exposure. This path prevents the attacker from withdrawing rsETH collateral, and allows the protocol to secure the collateral and halt further risk accumulation.

Specification

This proposal authorizes and executes liquidation calls against the known rsETH exploit attacker positions on Aave V3 Ethereum Core and Aave V3 Arbitrum.

Target Positions

Aggregate Attacker Exposure

Debt balances may differ slightly at proposal submission because borrow balances accrue continuously.

Payload Actions

The main objective of the payload is to seize the rsETH collateral from the attacker’s positions while ensuring no impact to the rest of users. The recovered rsETH will be transferred to a newly created multisig wallet, the Recovery Guardian (0x53cb4BB8F61fa45405dC75F476FaDAd801e653D9), which will act on behalf of the DAO to manage and resolve the rsETH incident. This Safe wallet is composed of DAO Service Providers and will hold the collateral and execute the necessary actions for resolution.

The proposal also grants temporary permissions to the Recovery Guardian to update Umbrella parameters if needed. However, Umbrella is already configured within this proposal to account for the potential increase in deficit (up to the total attacker debt at the time of the exploit), ensuring that Umbrella stakers are not impacted (e.g., no slashing can occur) by this proposal. Additionally, the Recovery Guardian is granted permission to eliminate deficits on Aave V3 Ethereum Core and Arbitrum markets, enabling the protocol to clear bad debt and prevent further risk. Both permissions are intended to be revoked once the incident is resolved.

For each attacker position, the proposal executes the following steps:

1. Fetch position data and involved assets.
2. Adjust risk parameters to make the position eligible for liquidation.
3. Execute liquidations for rsETH/WETH or rsETH/wstETH on the relevant Aave V3 markets.
4. Convert WETH or wstETH debt into deficit (no longer accruing interest).
5. Transfer the seized rsETH collateral to the Recovery Guardian.

References

• Implementation: Ethereum User 1, Ethereum User 2, Arbitrum User 1, Arbitrum User 2, Arbitrum User 3, Arbitrum User 4, Arbitrum User 5, Arbitrum User 6
• Tests: Ethereum User 1, Ethereum User 2, Arbitrum User 1, Arbitrum User 2, Arbitrum User 3, Arbitrum User 4, Arbitrum User 5, Arbitrum User 6
• Snapshot: Direct-To-AIP
• Discussion
• DeFi United’s Restoration of rsETH Backing: Technical Implementation Plan

Copyright

Copyright and related rights waived via CC0.