The fight over who caused the KelpDAO rsETH exploit has moved from protocol statements into Aave’s governance forum, where retail depositors are now publicly arguing over who absorbs up to $230 million in bad debt — and whether users on Layer 2 networks will be left to cover losses that Ethereum mainnet escapes.

Arbitrum’s Security Council froze 30,766 ETH connected to the exploit at 11:26 PM ET on April 20, acting with direct input from law enforcement regarding the exploiter’s identity. The funds sit in an intermediary wallet. They cannot move without a formal Arbitrum governance decision.

Arbitrum posted on X: “The Security Council acted with input from law enforcement as to the exploiter’s identity, and, at all times, weighed its commitment to the security and integrity of the Arbitrum community without impacting any Arbitrum users or applications.”

That freeze is the first confirmed on-chain recovery from the April 18 drain. It covers a portion of Arbitrum’s exposure. The rest of the damage remains unresolved.

The Two Scenarios Nobody Wants

Aave’s service providers published a full incident report on April 20 laying out two possible paths for bad debt allocation.

Scenario 1 assumes losses are socialized across the entire rsETH supply on all chains. Each token takes a 15.12% haircut. Total bad debt reaches $123.7 million. Ethereum Core absorbs $91.8 million. L2 networks take smaller but still material hits.

Scenario 2 is the one users fear. It isolates losses to L2 chains only, leaving Ethereum mainnet rsETH untouched. Remote-chain rsETH takes a 73.54% haircut. Total bad debt climbs to $230.1 million. Mantle faces a 71.45% WETH shortfall. Arbitrum carries a 26.67% shortfall. Base absorbs a 23.28% hit. Ethereum Core pays nothing.

Aave confirmed on X that service providers are leading a recovery effort with ecosystem participants, with several indicative commitments already in place.

Aave posted on X: “Aave DAO service providers are also leading an effort with ecosystem participants to address any bad debt. This effort already has several indicative commitments from various parties and we are grateful for the strong support we have received so far.”

The outcome depends on a decision outside Aave’s direct control. How KelpDAO accounts for the loss and whether it updates its LRTOracle exchange rate will determine which scenario materialises.

Real Users, Real Numbers, Real Anger

The governance forum is not just protocol engineers debating risk models. Retail depositors are posting in real time.

Carlosacd, a Base network user, wrote directly into the governance thread:

“As a retail user of Aave on the Base network, I am deeply concerned by the discussions regarding ‘Scenario 2.’ I deposited 1.57 ETH in good faith, trusting Aave’s risk management when listing rsETH on Base. Proposing a 73% haircut for L2 users while protecting Mainnet is unacceptable and destroys the ‘multichain’ promise of Aave.”

Danulinio, posting as an Arbitrum WETH depositor, framed it differently. The user argued that concentrating losses on L2 users would send a message that DeFi on Layer 2 is where risk gets dumped when Layer 1 has a problem. The argument laid out a specific counter-proposal: losses from the bridge exploit should be socialized across all rsETH holders on all chains, the DAO Treasury and Umbrella module should commit to covering a defined tranche of remaining bad debt, and any residual haircut should be spread proportionally across all affected WETH reserves. Not concentrated on specific L2 pools.

Danulinio wrote in the Aave governance forum: “Even a small haircut hurts, but a bounded, protocol-wide, well-explained socialization across chains is survivable for Aave’s reputation. In contrast, visibly sacrificing L2 depositors with 20-30% losses while mainnet is protected would be the point at which many serious users simply decide: no more Aave on L2, ever.”

A separate reply noted that Arbitrum WETH depositors are already in a different position. Because the Security Council froze most of the attacker’s holdings on Arbitrum, the recovered ETH would likely cover most of that chain’s bad debt regardless of which scenario Kelp chooses.

The Umbrella Stakers Who Say They Never Signed Up for This

The governance debate is not only between depositors and the DAO. Umbrella stakers are pushing back too.

Umbrella replaced Aave’s legacy Safety Module in late 2025. Users who stake aWETH into the Umbrella vault face automatic slashing if bad debt materialises. That mechanism is now activated. The question is how far it extends.

defialltheway, posting as an Umbrella holder, argued the mechanism was never designed to cover this type of loss:

“Mainnet aWETH Umbrella signed up for chain-local risk on backed collateral, not wrapped rsETH minted against drained escrow and L2 risk. Umbrella stakers on mainnet by definition did not sign up to cover losses from another chain.”

The user cited Aave’s own documentation, pointing to language stating bad debt coverage applies to Ethereum’s V3 Core Market only. Under Scenario 2, Umbrella on mainnet would not activate at all. L2 depositors would absorb the full concentrated loss without the backstop mechanism triggering.

Where the Numbers Actually Stand

The Aave DAO treasury held $181 million as of April 20. That breaks down as $62 million in Ethereum-correlated holdings, $54 million in AAVE tokens, and $52 million in stablecoins. The DAO generated $145 million in revenue across 2025 and $38 million year-to-date in 2026.

The current rsETH adapter balance sits at 40,373 rsETH. Total remote-chain claims against that balance stand at 152,577 rsETH. The backing ratio is 26.46%. KelpDAO’s interventions during the attack recovered that 40,373 rsETH balance by blocking a second drain attempt targeting another 40,000 rsETH worth roughly $95 million.

LayerZero attributed the April 18 attack to North Korea’s Lazarus Group, specifically the TraderTraitor subcluster, in its official incident statement. The protocol confirmed cooperation with multiple global law enforcement agencies. The Arbitrum freeze, coming with direct law enforcement identification of the exploiter’s wallet, is the first concrete result of that cooperation.

The Blame War That Has Not Ended

KelpDAO and LayerZero have not resolved their public dispute over responsibility. LayerZero’s post-mortem placed the failure on KelpDAO’s choice to run a 1-of-1 DVN configuration, with LayerZero Labs as the sole verifier. KelpDAO responded on X that the 1-of-1 setup is what LayerZero’s documentation describes as the default for new OFT deployments, and that the configuration was confirmed as appropriate during KelpDAO’s L2 expansion.

KelpDAO stated on X: “The 1-of-1 DVN setup is the configuration documented in LayerZero’s documentation and shipped as the default for any new OFT deployment.”

KelpDAO’s initial incident post confirmed contracts were paused across mainnet and several L2s. The protocol said it is working with Aave, LayerZero, and all key stakeholders on impact assessment and protocol unpausing timelines.

As previously reported, the original drain pulled 116,500 rsETH worth $292 million, pushed Aave’s ETH utilization to 100%, and wiped $6.28 billion from Aave’s TVL within hours. The full joint post-mortem from LayerZero and KelpDAO has not been published. Bad debt resolution, governance decisions on the frozen Arbitrum ETH, and the question of whether L2 depositors take a concentrated hit or the loss gets spread across all chains — none of it is settled.

The users posting in Aave’s governance forum are waiting for answers.