Login
Sign Up
On April 18, the Kelp DAO cross-chain bridge suffered a catastrophic breach by the North Korean Lazarus Group, resulting in a total loss of approximately $292 million. In response, the Arbitrum Security Council executed an emergency freeze on 30,766 ETH, valued at roughly $71 million, attributed to the attacker. This action precipitated an unprecedented legal confrontation within the New York Federal Court, centering on the ownership rights of the frozen assets. On May 14, Judge Margaret Garnett of the Southern District of New York postponed the scheduled emergency hearing to June 5, ordering Aave and the opposing law firm Gerstein Harrow to submit supplemental briefs by May 22. The court specifically requested arguments on whether the hacker's transaction falls under New York State's shelter doctrine, the legal distinction between fraud and theft, and whether the hacker holds any equitable interest in the stolen property.
Furthermore, the judge sought clarity on which jurisdiction's law governs creditor priority, if a constructive trust is an appropriate remedy, and whether Aave or Arbitrum can identify individual victims for proportional fund returns. Woofun AI notes that the sixth point regarding Aave users' compound losses during the freeze is particularly critical, as Aave argued in its previous motion that continued freezing would trigger user liquidations and destabilize the DeFi lending market. Judge Garnett determined that Aave had not adequately explained this chain of losses and demanded further elaboration.
This marks Judge Garnett's second intervention in the case. On May 9, she issued an initial order modifying the scope of the restraining order, permitting the Arbitrum DAO to transfer the frozen ETH to a wallet controlled by Aave via on-chain governance voting without violating the freeze order. This procedural adjustment resolved the issue of fund mobility, leaving the substantive question of who holds the right to move the funds for the June 5 hearing. The legal complexity intensified on May 1 when the U.S. law firm Gerstein Harrow LLP filed a restraining order notice with the Southern District of New York, requesting Arbitrum not to release the ETH. The firm represents three groups of families holding unenforced anti-terrorism judgments against North Korea, totaling approximately $877 million. These include the Pastor Kim Dong-shik Case involving a $330 million judgment for a kidnapping and disappearance in 2000, the Hezbollah Rocket Attack Case claiming $169 million for alleged weapons support, and the 1972 Lod Airport Massacre Case seeking $378 million for a terrorist attack resulting in 26 deaths. Gerstein Harrow's legal theory posits that since on-chain analysis attributes the ETH to Lazarus, a state actor of North Korea, the asset belongs to the North Korean state and should be prioritized for compensating these anti-terrorism victims.
Blockchain investigator ZachXBT publicly criticized this legal maneuver as opportunistic, pointing out that Gerstein Harrow had previously attempted similar actions in cases involving North Korean-linked hackers on Harmony and Bybit. ZachXBT stated that the law firm's work amounts to reading his posts after he has completed the hard part of collecting evidence. Security researcher Taylor Monahan went further, labeling the intervention as worse than ambulance chasing. Woofun AI analysis suggests that ZachXBT believes Aave users are the actual victims of the attacker's loan behavior, noting there is no direct causal relationship between the anti-terrorism heirs' judgments and the losses sustained by DeFi users. Consequently, the intervention by Gerstein Harrow is viewed as slowing down the process of recovering funds for the actual victims of the hack. While these legal proceedings advance, protocol-layer fixes are progressing at a faster pace in parallel to mitigate immediate technical risks.
Aave initiated a binding on-chain vote (AIP) on Arbitrum on May 12, proposing to transfer 30,765 ETH from the Security Council wallet to the Aave Recovery Guardian multisig controlled by Aave LLC. The vote opened on May 15 and is expected to take about eight days to complete, after which the ETH will undergo the standard L2 to L1 withdrawal delay before reaching the Ethereum mainnet.
Concurrently, on the same day, Kelp DAO announced that rsETH withdrawals, cross-chain bridging, and EigenLayer claiming features have been fully restored. In terms of technical remediation, the attacker's fake rsETH supply was liquidated and burnt on May 7, with the first batch of 25,000 rsETH transferred from the Aave Recovery Guardian multisig to the LayerZero OFT adapter, officially restarting cross-chain bridging operations. Following the resolution of the immediate Kelp DAO incident, Aave Labs submitted a Bug Bounty Program restructure proposal (ARFC) to the governance forum to prevent future vulnerabilities.
The proposal aims to split Aave DAO's current single bounty program into 7 subsystem-specific programs hosted on three platforms: Immunefi responsible for Core Aave V3, V2, GHO, and illiquid protocol infrastructure; Sherlock for Aave V4 and Aave App Stack; and Cantina for Aave V3 on Aptos. In terms of compensation standards, the most significant change targets Core Aave V3, where the maximum bounty for critical bugs has been increased from $1 million to $5 million, with the minimum payout raised from $50,000 to $100,000. The upper limit for Aave V4 critical bugs has been raised from $500,000 to $2.5 million. Community member robtg4 estimated on the governance forum that if each subsystem triggers one critical bug per year on average, the total critical payout budget for the seven projects is around $5 to $6 million, while high, medium, and low severity bugs would bring the total annual budget to a reasonable range of $8 to $10 million. The proposal also suggests maintaining the multi-platform architecture for 6 to 12 months, deciding on integration only after collecting sufficient operational data. LlamaRisk has expressed support, believing the split structure better aligns with the actual risk profile of each subsystem.
At the time of writing, the rsETH withdrawal and cross-chain functions have been restored, and fund injection by DeFi United is progressing in batches while the Arbitrum governance vote is underway. The final ownership of the $71 million frozen ETH remains pending the outcome of the hearing in the New York Federal Court on June 5. Woofun AI assesses that while the technical crisis has been averted for Aave users and rsETH holders, the legal uncertainty persists as a significant overhang for the ecosystem. The resolution of this case will likely set a precedent for how DeFi protocols handle state-sponsored cyberattacks and the intersection of on-chain asset recovery with international anti-terrorism judgments.