DeFi United, a coalition of DeFi participants spearheaded by Aave, has made a strategic plan to recover bad debts left by the North Korean hackers during the Kelp DAO attack. The strategy here includes the careful conversion of ETH to rsETH and gradual liquidation of the hackers’ positions using the price settings on the oracle. AAVE may find itself gaining the confidence of the community after its total value locked dropped by 60%.
A group of DeFi participants led by Aave came together to recover some stolen funds from the North Korean hackers. The group is on an onslaught to recover the funds stolen during the Kelp DAO hack. The group is aiming to recover approximately 13,000 ETH from affected positions on Aave’s Ethereum and Arbitrum markets and 16,776 ETH from Compound.
Convert ETH to rsETH and adjust oracle prices
This recovery strategy involves converting committed ETH into rsETH in small, staged batches rather than all at once. The above conversion is done as rsETH is a liquid restaking token issued by Kelp DAO that represents ETH earning additional staking and restaking rewards. This step helps as it makes the environment more stealthy: it helps move assets into a more flexible and yield-bearing form without disrupting the market.
Once this conversion is done systematically and gradually to avoid price shocks, the strategy moves to liquidating the attacker’s positions, which likely refers to forcibly closing risky or exploit-linked positions in lending systems such as Aave or Compound.
Finally, this liquidation is executed using temporarily adjusted oracle prices, meaning the price feeds that DeFi protocols rely on are modified for a short period to ensure orderly and efficient liquidation. This helps recover funds and prevent chaotic cascading liquidations, but it is a highly sensitive mechanism because oracle prices normally reflect real market conditions.
Attackers drain nearly $300 million from Kelp DAO
On April 18, hackers drained $291 million from the Kelp DAO, a liquid staking protocol built on the Ethereum network. Following this huge migration of funds from the pool, Aave users were facing a liquidity crunch, with little to no liquidity available in the pool.
The hackers attacked a bridge where rsETH (restaked ETH) was used to move around the network. Once the news about the attack spread, Aave restricted and froze all markets linked to rsETH, which attackers had used as collateral to borrow funds from it.
The attack left user with no liquidity
However, the damage was already done, as the attackers’ activity on Aave caused the so-called utilization rate of a core lending pool to spike to 100%. When the utilization of core DeFi protocols hits 100%, it means that all available liquidity in a lending pool has been fully borrowed, leaving no idle assets available for new loans or withdrawals.
In platforms like Aave or Compound, utilization measures how much of the deposited funds are currently being used by borrowers. When the protocol is at 100% utilization, it is overwhelmed. This means that all available assets in the lending pool have already been borrowed, leaving no idle liquidity for new borrowers or withdrawals. Under such circumstances, the supply of money is fully consumed by the need for borrowing, leading to a situation where the rates increase as the system strives to manage scarcity.
Although in the beginning the lender can benefit from the higher rate of returns due to high demand for money, it puts the pool at a risk because it lacks the cushion of money to accommodate emergency withdrawals from the pool or other shocks to the market.
It also leaves the pool very vulnerable to changes in the market due to its sensitivity to volatility, where even minimal need for liquidity creates strain on the system. Simply put, 100% utilization means that the lending pool is fully utilized.
AAVE TVL Falls to One-Third of September 2025 Levels
With the attack, the total value locked (TVL) on Aave dropped drastically as the investors lost faith in the protocol. The TVL dropped from 42 billion back in September to just above 14.5 billion.
When there is a sudden fall of TVL, as seen in the plunge of $42 billion down to $14.5 billion, then it indicates a lack of trust on the part of users as they pull out their funds out of the fear of risks like hacks, exploits, or protocol vulnerability. This kind of outflow suggests that investors are becoming risk-averse and prefer to move their capital to safer platforms or into self-custody.
However, when zooming into the chart, the Aave TVL is consolidating after a crash. This could be a recovery phase that Aave is going through, and once the stolen funds are recovered, the market will have a fresh perspective about the protocol, and investors will start trusting their funds with the protocol.