DeFi governance proved capable of acting as an emergency recovery mechanism after the April 2026 KelpDAO exploit. Roughly 116,500 rsETH worth $292 million were stolen and deployed as collateral on Compound v3.
Standard liquidation rules offered no path to recovery, since the stolen rsETH still priced normally. A governance-approved oracle adjustment changed that, eventually enabling DeFi United to seize roughly $30 million. The recovery marked one of the most coordinated on-chain interventions in DeFi’s history.
On April 18, 2026, attackers exploited a vulnerability in KelpDAO’s LayerZero bridge infrastructure. About 116,500 rsETH worth $292 million were released illegitimately from the Ethereum-side escrow.
The attack was widely attributed to North Korea’s Lazarus Group. Rather than selling, the attacker deployed them as collateral across multiple lending protocols.
On-chain data shows the attacker opened a Compound v3 position within minutes of the exploit. ETH and wstETH were borrowed in tranches against the stolen rsETH tokens.
Partial withdrawals helped manage the collateral ratio in the same window. The position was active and borrowing real assets before the protocol could respond.
In the weeks that followed, the position remained technically healthy at market prices. Compound’s rsETH markets were frozen, and loan-to-value ratios were set to zero.
The stolen rsETH still priced normally despite having no legitimate backing. Automated liquidation mechanisms therefore had no grounds to trigger.
DeFi lending liquidations depend on collateral value falling below set thresholds. Because rsETH had not dropped in price, the attacker’s position stayed above water.
There was no admin key or circuit breaker available to freeze the account. DeFi governance was therefore the only available instrument to act.
The Compound Foundation engaged risk partners, including Gauntlet, to find a resolution pathway. Gauntlet submitted a proposal for a modified oracle for Compound’s rsETH markets.
The new oracle kept the Kelp DAO exchange rate feed as its primary source. It also added configurable price bounds operable by the Compound multisig.
Santiment Intelligence noted that an oracle adjustment pushed the attacker’s position into liquidation. This allowed DeFi United to seize roughly $30 million in collateral.
How was Compound governance able to help recover stolen rsETH from the KelpDAO exploiter? An oracle adjustment pushed the attacker’s position into liquidation, allowing DeFi United to seize ~$30M in collateral.
Check out our latest deep dive below.
https://t.co/LvqxqLrBYe pic.twitter.com/im4ot8o8xd
— Santiment Intelligence (@SantimentData) May 13, 2026
Temporarily setting the price floor below market value triggered undercollateralization. A DeFi United Recovery Guardian multisig then repaid the borrowed assets and seized the collateral.
Santiment data recorded $29,044,839 in Compound v3 liquidations on May 9th at 02:30 UTC. The event covered 12,426.70 rsETH at a price of $2,337.29 per token.
Notably, rsETH showed no meaningful price distress during the event. The collateral was removed cleanly without triggering a broader market selloff.
The seized collateral was redeemed through KelpDAO’s system and converted back to ETH. Those funds helped refill the damaged bridge lockbox that backed rsETH.
After completion, the oracle was restored to normal market levels. No persistent changes were made to the Compound protocol.
The post How Compound Governance Triggered a $30M Recovery From the KelpDAO Exploit appeared first on Blockonomi.
