Foresight News
Foresight News|May 15, 2026 06:19
Who can take away $71 million from Kelp DAO hackers? 】 Four weeks after the theft of $292 million, rsETH resumed withdrawals, but the frozen ETH worth $71 million was stuck in a North Korean terrorism compensation lawsuit. \On April 18th, the Kelp DAO cross chain bridge was attacked by the North Korean Lazarus Group, resulting in a loss of approximately $292 million. The Arbitrarum Security Committee froze the attacker's 30766 ETH (approximately $71 million). The New York federal court is currently hearing an unprecedented legal dispute in DeFi history regarding the ownership of the frozen funds. \On May 14th, Judge Margaret Garnett of the Federal Court for the Southern District of New York postponed the scheduled emergency hearing to June 5th and requested Aave and the opposing law firm Gerstein Harrow to provide additional briefings by May 22nd, responding positively to six legal issues: whether hacker transactions are subject to the shelter doctrine in New York State, the legal distinction between fraud and theft, and whether hackers have any legal rights to stolen goods, which country's laws determine the priority of frozen assets for creditors, whether constructive trusts constitute appropriate judicial remedies, whether Aave or Arbitrarum can identify individual victims and return funds proportionally, and how compound losses of Aave users actually occur during the ongoing freeze. In the previous emergency motion, VE advocated that the continued freezing of funds would trigger user liquidation Garnett believes that Aave has not clearly explained the chain of losses caused by the instability of DeFi lending markets and requests additional evidence. \This is Judge Garnett's second intervention. On May 9th, she issued the first order to modify the scope of the restriction order, allowing the Arbitrarum DAO to transfer frozen ETH to Aave controlled wallets through on chain governance voting, and voting participants do not constitute a violation of the freeze order. In other words, the procedural issue of fund mobilization was resolved on May 9th, and the substantive issue of who has the authority to mobilize was left until June 5th. \On May 1st, the US law firm Gerstein Harrow LLP submitted a restraining order notice to the Southern District Court of New York, requesting that Arbitrarum not release the ETH. \The clients of this law firm have nothing to do with the crypto world. Gerstein Harrow represents three groups of families holding unexecuted anti-terrorism judgments against North Korea, totaling approximately $877 million: the Kim v. North Korea case (approximately $330 million): Korean pastor Kim Dong sik disappeared and was killed after being kidnapped by North Korean agents on the China North Korea border in 2000, and his family received a judgment against North Korea in a US court. The Hezbollah Rocket Attack Case (Kaplan v. North Korea, approximately $169 million): The plaintiff claims that North Korea provided weapons support to Hezbollah and is seeking compensation under the US Counter Terrorism Act. The 1972 Rhodes Airport Massacre (Calderon Cardona v. North Korea, $378 million): a terrorist attack that occurred at Rhodes Airport in Tel Aviv, Israel, carried out by the Japanese Red Army under the direction of the Palestinian extremist faction, resulting in 26 deaths; The plaintiff listed North Korea as a related terrorist supporter in a US court. \NGerstein Harrow's legal theory is that since on chain analysis attributes this ETH to Lazarus, which is a North Korean state actor, then this asset belongs to North Korean state property and should be reused to fulfill the 2015 judgment, with priority given to compensating anti-terrorism victims who hold unexecuted judgments. \Chain investigator ZachXBT publicly criticized this as taking advantage of the situation, pointing out that Gerstein Harrow had previously attempted the same operation in North Korean related hacking cases such as Harmony and Bybit, stating that the entire job of this law firm was to 'read my post after I completed the difficult part of collecting evidence'. Security researcher Taylor Monahan more directly described it as' worse than an ambulance chaser '. \ZachXBT believes that Aave users are the actual victims of the attacker's lending behavior, and there is no direct causal relationship between the judgment of anti-terrorism survivors and the losses of DeFi users. Gerstein Harrow's intervention is actually slowing down the victim's fund recovery process. \Aave initiates on chain voting, rsETH five chain resumes withdrawal, while the legal process advances, the protocol layer repairs are being carried out in parallel at a faster pace. \On May 12th, Aave initiated a binding on chain vote on Arbitrarum, proposing to transfer 30765 ETH from the security committee wallet to Aave Recovery Guardian controlled by Aave LLC. The voting will be open on May 15th and is expected to take about eight days to complete. Afterwards, ETH will need to go through standard L2 to L1 withdrawal delays to reach the Ethereum mainnet. \On the same day, Kelp DAO announced that the rsETH withdrawal, cross chain bridging, and EigenLayer application functions have all been restored. In terms of technical repairs, the forged rsETH supply by the attacker was cleared and destroyed on May 7th. The first batch of 25000 rsETH was transferred from Aave Recovery Guardian to LayerZero OFT adapter on May 14th, officially restarting cross chain bridging. \Aave has restructured its vulnerability bounty system, with a maximum of $5 million for V3 core critical vulnerabilities. In response to the Kelp DAO incident, Aave Labs has submitted a vulnerability bounty program restructuring proposal (ARFC) to the governance forum. The proposal is to split Aave DAO's current single bounty program into seven subsystem specific projects, hosted on three platforms: Immunefi is responsible for Core Aave V3, V2, GHO, and non liquidity protocol infrastructure; Sherlock is responsible for Aave V4 and Aave App Stack; Cantina is responsible for Aave V3 on Aptos. \In terms of compensation standards, the most significant change is in Core Aave V3, where the maximum bounty for critical vulnerabilities has increased from $1 million to $5 million, and the minimum payout has increased from $50000 to $100000. The upper limit of key vulnerabilities in Aave V4 has been raised from 500000 to 2.5 million US dollars. Community member robtg4 estimated in the governance forum that if each subsystem triggers a critical vulnerability annually, the total critical compensation budget for the seven projects would be approximately $5 million to $6 million. Adding high/medium/low-level vulnerabilities, the reasonable range for the annual total budget would be $8 million to $10 million. \The proposal also suggests maintaining a multi platform architecture for 6 to 12 months, and deciding whether to integrate it after collecting sufficient operational data. LlamaRisk has expressed support, believing that the split structure can better match the actual risk surface of each subsystem. \As of press time, rsETH withdrawals and cross chain functionality have resumed operation, DeFi United's fund injection is progressing in batches, and Arbitrarum governance voting is underway. The final ownership of the $71 million frozen ETH will depend on the hearing result of the New York Federal Court on June 5th. But for Aave users and rsETH holders, the technical crisis has been resolved, and legal uncertainty continues.
+4
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads