hodler

5 May 2026, 09:06

KelpDAO hack exposes weak spots in Web3 security

The KelpDAO hack showed several fault lines in Web3 security. The biggest problem was blockchains flawlessly executing transactions that were based on flawed data. Web3 security is still at the forefront, as a way to rebuild trust in DeFi protocols. The KelpDAO hack had lasting repercussions for DeFi lending and raised issues on ramping up Web3 security. DeFi hacks reached a one-year high in April, opening up a discussion on Web3 risks and better ways to intercept hacks. | Source: DeFiLlama . The recent wave of hacks in April may make apps reassess the way they access data and permit transactions. Similar hacks continued in May, with $930K lost in the month to date. Recently, Bisq Protocol lost $858K based on flawed protocol logic and a fake client attack, according to DeFiLlama data . Web3 apps have a data verification problem According to Victor Fei of Ormilabs, the KelpDAO hack is a clear example of how an application can continue working, even if the blockchain state does not correspond to the data. Fei explained that applications do not always refer back to the blockchain directly. Instead, they rely on intermediaries such as RPC nodes, instead of raw on-chain data. This is a requirement for Ethereum and other older chains, which are no longer viable to access directly for most apps. With a limited source of data, a bridge can only rely on a small set of RPC nodes. When some sources are compromised or unavailable, the app may operate on bad data, while the underlying chain will still count the transactions as valid. Most modern Web3 apps do not access the chain directly, but rely on some forms of indexing to fetch relevant information. The indexing can display flawed data or become a direct vector of attack. The KelpDAO exploit revealed this vulnerability in full. The verification process trusted a limited number of RPC sources, and attackers hijacked some of those sources. With a flawed data layer, the blockchain processed the transactions as usual and spent real coins in exchange for a fake balance. The problem becomes even more serious if AI agents are allowed to act based on a limited and potentially flawed data layer. What can increase Web3 security? The biggest flaw in the KelpDAO, Drift Protocol , and other recent hacks is the speed of execution. Most of the transactions happened immediately and were finalized in the next block, with no cooldown period or extra checks. Web3 has advertised its ability for fast permissionless transactions, but it also allows bad actors to execute their heist with speed. “The future of Web3 security comes down to speed. Our data shows that hacking and laundering are fast and cheap, while teams’ response is slow and expensive,” commented Vladyslav Syrotin, Head of Investigations at Global Ledger to Cryptopolitan. Syrotin believes Web3 projects should lower their time-to-detection to catch unusual outflows, sudden liquidity drops, or suspicious smart contract calls. According to Syrotin, alerts and blocks should be automated within one second after an attack, and victim reports and data labeling should be ready within 10 minutes. Currently, it takes hours or days to tally the total losses and track down the wallet clusters of the attackers. Syrotin added that even a slower time frame, with 30-second alerts and labeling in four hours, can help prevent around half of the incidents and cut losses. If you're reading this, you’re already ahead. Stay there with our newsletter .

5 May 2026, 08:18

DeFi lender Aave asks court to block $71 million crypto seizure tied to North Korea claims

The filing challenges a New York restraining notice that froze ETH on Arbitrum after the rsETH exploit, with Aave arguing the funds belong to users, not North Korea judgment creditors

5 May 2026, 05:43

Aave Battles to Unlock $292M Kelp Hack Funds Amid Legal Clash

The notice, filed by Gerstein Harrow LLP, and it argues that its clients are owed over $877 million tied to North Korea-related judgments and claims the stolen assets fall under that liability. Aave argued that stolen funds cannot establish lawful ownership and that any link to North Korea remains unproven. Aave Tries to Release Kelp Hack Funds Aave filed an emergency motion in a New York district court seeking to overturn a restraining notice issued against Arbitrum DAO and its handling of funds linked to the recent Kelp DAO hack. The legal dispute centers on 30,766 ETH that Arbitrum DAO intends to transfer to victims affected by the exploit, which resulted in losses of approximately $292 million on April 18. The restraining notice was served by Gerstein Harrow LLP, which claims that its clients are owed more than $877 million in default judgments tied to North Korea. The firm argues that the hacker group allegedly responsible for the exploit had possession of the stolen assets, and therefore its clients hold a legal claim over the ETH in question. This claim effectively seeks to block the transfer of funds intended to compensate victims. Aave challenged this position by arguing that ownership cannot be established through theft and that the law firm’s argument lacks legal and logical foundation. The protocol also explained that any connection to North Korea is still unproven, which weakens the basis for the restraining notice. In its court filing, Aave described the legal action as a threat not only to its users but to the overall decentralized finance ecosystem. The dispute is happening as Arbitrum DAO continues an on-chain vote to determine whether the funds should be released to support DeFi United, which is an industry-wide initiative with the goal of restoring the backing of rsETH and reimbursing affected users. The vote is scheduled to conclude on May 7. Aave’s legal team warned that maintaining the freeze on the assets could have far-reaching consequences. According to the protocol, delays in releasing the funds could discourage future recovery efforts involving hacks linked to state-sponsored actors, as legal complications may deter participants. In addition to this, it argued that such restrictions could inadvertently encourage malicious activity by increasing uncertainty around asset recovery. The protocol also shed some light on the immediate risks posed to its users, as immobilized funds may disrupt collateral positions on multiple platforms. If users are unable to access assets tied up in the dispute, they may face cascading liquidations and financial instability in DeFi markets. Aave’s main point is that the continued restraint of these funds risks causing irreparable harm to users and undermines confidence in decentralized financial systems.

5 May 2026, 05:36

Aave challenges $71M ETH freeze in New York legal dispute

Aave has filed an emergency motion in a New York court to lift a restraining notice that is blocking the transfer of 30,766 ETH earmarked for victims of the Kelp DAO exploit. According to a filing submitted in a New York district court, Aave challenged a notice issued by Gerstein Harrow LLP that seeks to stop Arbitrum DAO from releasing the Ether, which is currently under governance control following the April 18 breach. Gerstein Harrow LLP served the notice on Friday, arguing that its clients are owed more than $877 million in default judgments against North Korea and that the alleged involvement of a North Korean hacking group in the exploit gives them a legal claim over the frozen assets. In its emergency motion, Aave argued that stolen assets do not become the lawful property of the thief, adding that the law firm’s position “defies logic, common sense and the law.” The filing also noted that any link to North Korea remains unproven and is based on suspicion rather than confirmed attribution. Recovery plan faces legal roadblock Arbitrum’s Security Council had previously seized 30,766 ETH from an address tied to the exploit and moved the funds into a DAO-controlled wallet, according to an April 21 update from Arbitrum. Any transfer now depends on a governance vote, which is scheduled to conclude on May 7. A proposal backed by Aave Labs, Kelp DAO, LayerZero, EtherFi, and Compound has asked the DAO to release the funds into “DeFi United,” a coordinated recovery effort aimed at restoring rsETH backing and reducing bad debt across lending platforms. The proposal states that more than 102,000 ETH has already been pledged toward covering a 163,200 ETH shortfall. The Kelp DAO exploit , which drained 116,500 rsETH valued at about $292 million, has been linked in preliminary findings by LayerZero to North Korea’s Lazarus Group, though the attribution has not been formally confirmed. Aave warns of systemic impact if funds remain frozen In its court filing, Aave warned that upholding the restraining notice could disrupt ongoing recovery efforts tied to North Korea-related hacks by exposing them to competing legal claims. The protocol argued that such actions could also encourage attackers to target DeFi systems if stolen assets become harder to recover. Lawyers representing Aave said the continued freeze is causing “irreparable harm” to users and the wider DeFi ecosystem, adding that the damage cannot be resolved through monetary compensation. They stated that failure to release the funds could destabilize lending markets if affected users are unable to meet collateral obligations tied to their positions. Addressing the law firm’s claim directly, Aave’s legal team said the case relies on “conjecture from posts on the internet” to argue that North Korea gained ownership of the assets by briefly controlling them during the exploit. The filing maintains that the Ether belongs to Aave users who lost funds in the attack, not to any external actor. If the court declines to lift the notice immediately, Aave has asked that Gerstein Harrow LLP be required to post a $300 million bond to maintain the restriction while the case proceeds. As of publication time, the court had not yet ruled on the motion, and no hearing date had been scheduled. The post Aave challenges $71M ETH freeze in New York legal dispute appeared first on Invezz

5 May 2026, 01:07

Aave challenges $71M freeze as DeFi recovery collides with North Korea claims

Aave, a major decentralized finance (DeFi) liquidity protocol, is asking a U.S. federal court to lift a freeze on roughly $71 million in ETH. The firm argues that the assets belong to its users, not to a suspected North Korean hacker. The funds are currently locked on the Arbitrum network. The dispute highlights growing tension between DeFi recovery efforts and creditors seeking to enforce longstanding judgments against North Korea. In a court filing dated May 4, 2026, Aave said the court-ordered freeze is blocking the return of assets recovered following the Kelp DAO rsETH token exploit. In the meantime, the company is demanding an immediate lifting of the freeze. If the freeze stays, it requires a minimum $300 million bond from the plaintiffs. “Since the exploit occurred, teams from the Aave Protocol community, the Arbitrum community, and others in the global DeFi community have been working tirelessly as part of an effort called ‘DeFi United’ to return the frozen assets and other value to those affected by the Aave Protocol incident. They aim to restore stability and security within both the Aave Protocol and other protocols in the decentralized finance ecosystem while also ensuring that similar exploits do not happen again,” said the memo. Recent developments suggest that lawmakers are closer than ever to resolving those disputes. A bipartisan breakthrough on stablecoin yield restrictions has removed one of the biggest obstacles to progress, with negotiators now working on final language that would allow crypto rewards tied to user activity while limiting interest-like payments on idle balances. The Kelp DAO rsETH token exploit raises doubt over the Blockchain technology This dispute originated from a cyber breach in April involving Kelp DAO, a prominent liquid restaking protocol on Ethereum . In this scenario, a hacker exploited a vulnerability in a cross-chain bridge connected to the rsETH token. Afterward, the hacker exploited Aave by using illicitly obtained assets as collateral to borrow roughly $230 million in ETH. Shortly after the incident, as previously reported by Cryptopolitan, the Arbitrum protocol seized 30,766 ETH, worth about $73 million. It then reserved the assets for recovery. Analysts say the initial expectation was for the recovered ETH—the first major batch post-hack—to be returned to the victims. Later, this endeavor evolved into “DeFi United” pending ETH unfreezing decisions and other protocol votes. Notably, DeFi United is an emergency coalition of major crypto protocols—including Aave, Lido, and EtherFi—formed in April 2026 to restore rsETH backing after a $292 million Kelp DAO exploit. In this case, the plaintiffs, who hold unpaid judgments against North Korea, indicated a high likelihood that the attacker is linked to the regime’s Lazarus Group. Based on their argument, the frozen assets should be considered North Korean property and seized. In their filing, the plaintiffs began by admitting that the accusations regarding North Korea could be valid. “However, AaveLLC strongly disagrees with the idea that these issues can be legally resolved by restraining and seizing assets belonging to innocent third parties—specifically, users of the Aave software protocol (the ‘Aave Protocol’), who are completely unrelated to any alleged wrongdoing and have no known ties to North Korea,” they said. Despite uncertainty regarding the culprit, the hack had immediate consequences. Panic withdrawals quickly drained key lending pools, leaving them with critically low balances. These sudden mass withdrawals left some users unable to withdraw their deposits. The filing noted that the funds were seized directly from Aave users. This statement challenges the claim that they are associated with any alleged wrongdoer. It also casts doubt on whether Arbitrum DAO qualifies as a legal entity. Meanwhile, Aave refused to be an official entity subject to the plaintiffs’ method of service. This claim could create legal hurdles. Can stolen crypto be recovered without harming innocent users? Aave argues that freezing the assets is not only a legal issue but is actively hindering recovery from the Kelp DAO exploit. At this point, the attorneys for the plaintiffs stated that the Restraining Notice against Arbitrum DAO was not intended to assist in recovering funds for Aave Protocol victims; rather, they noted, it served the opposite purpose. In a statement, the founder and CEO of Aave, Stani Kulechov, stated that, “A thief does not own what he steals.” He compared the situation to a thief stealing diamonds, to have them snatched back. “These funds belong to the affected users they were stolen from — end of story,” he said. There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance .

4 May 2026, 20:45

Aave moves to unfreeze $73 million in ETH as court battle complicates Kelp DAO recovery

Aave LLC is asking a U.S. federal court to lift a restraining order that has frozen roughly $73 million in Ether (ETH) recovered after the Kelp DAO exploit. In an emergency motion filed on May 4 in the U.S. District Court for the Southern District of New York, the lending protocol said the funds should go back to users who lost money in the attack, not be held to satisfy unrelated terrorism judgments. From exploit to courtroom The dispute traces back to an April 18 exploit involving Kelp DAO’s rsETH token, a liquid staking derivative representing staked ether. An attacker allegedly abused a flaw in a cross-chain bridge, a system that allows assets to move between blockchains, to borrow around $230 million in ether from Aave users using unbacked collateral. Within days, the Arbitrum Security Council stepped in, identifying wallets tied to the attacker and moving 30,766 ether into a controlled address. The recovery was seen as a rare early win in a sector where stolen funds are often difficult to claw back. But that momentum stalled on May 1. Lawyers representing U.S. nationals with terrorism-related claims against North Korea secured a restraining notice that effectively froze the recovered funds, Cryptopolitan reported. Their argument hinges on the alleged involvement of the Lazarus Group—a hacking collective widely linked by authorities to Pyongyang. In court filings, the plaintiffs said the crypto assets qualify as “property in which a terrorist party has an interest,” opening the door for seizure under U.S. laws designed to compensate victims of state-sponsored terrorism. Aave pushes back Aave argues that reasoning goes too far. While the platform acknowledges the seriousness of the claims, it says the legal theory risks redirecting stolen funds away from the actual victims of the exploit. It also disputes whether the Lazarus Group attribution has been definitively proven. “A thief does not own what he steals,” Stani Kulechov said in a post on X on May 4. “These funds belong to the affected users they were stolen from.” In its filing, Aave described the frozen assets as “traceable proceeds of theft,” and urged the court to either lift the order or require the plaintiffs to post a $300 million bond if the freeze remains in place. Recovery effort in limbo The frozen ether sits at the heart of a broader industry response. Aave Labs and partners, including Kelp DAO, LayerZero, and others, formed a coalition—dubbed “DeFi United”—to stabilize the ecosystem after the attack. So far, the group has raised more than 137,700 ether, worth about $327 million, to help restore backing for rsETH holders. But the recovery plan assumes the release of the seized 30,766 ether now caught in legal limbo. Before the court order, Arbitrum DAO participants had already begun voting to transfer the funds into a multi-signature wallet overseen by ecosystem stakeholders and security firm Certora. The proposal drew overwhelming support—but it is now effectively on hold. Legal observers say the DAO has little room to act independently while the order is in force. “Arbitrum DAO is not allowed to do anything with the KelpDAO funds for now, until a divestiture hearing,” said Gabriel Shapiro in a post on X. A broader legal test for DeFi At its core, the case highlights a growing tension: when decentralized systems take coordinated action, such as freezing funds, do they begin to resemble traditional financial intermediaries in the eyes of the law? A forthcoming divestiture hearing will decide who ultimately controls the assets. Until then, the funds remain frozen, caught between two competing claims: victims of a crypto exploit and creditors seeking compensation for acts of state-sponsored terrorism. The outcome could shape how courts treat DAO-governed assets in future disputes, particularly when those assets are secured or immobilized through collective action. Meanwhile, parts of the stolen ether remain in motion elsewhere, with blockchain analysts tracking funds as they are routed through laundering channels and converted into stablecoins on other networks. For Aave and its users, the priority is speed. The protocol has asked the court to fast-track proceedings, warning that delays could weaken efforts to make victims whole. Your bank is using your money. You’re getting the scraps. Watch our free video on becoming your own bank