$292 million drained in a single exploit. Three weeks later, $300 million pledged to fix it. What happened in between is the most important story in DeFi this year. Here is the complete timeline of the "DeFi United", contribution by contribution 👇 🗓 April 18: The Exploit 18:21 UTC: An attacker forges a @LayerZero_Core cross-chain message, tricking @KelpDAO's bridge verifier into releasing 116,500 unbacked rsETH on Ethereum mainnet without a corresponding burn on Unichain. Within minutes, the attacker deposits 89,567 rsETH as collateral across @aave, @compoundfinance, and @eulerfinance. 18:52 UTC: Aave Guardian begins freezing rsETH across all V3 deployments. Post-18:21: UTC: Kelp executes FrozenFundsRecover, clawing back 40,373 rsETH into a controlled address. ------------------------------------------------------------------------------------ 🗓 April 20: Freezing Aave Guardian freezes WETH on Core, Prime, Arbitrum, Base, Mantle, and Linea. The collateral damage starts showing. USDC and USDT utilization rates on Aave spike toward 100% as depositors try to exit. Borrowing rates for both pools jump from ~3.5% to 14% within 48 hours — automatically, with no committee, decision or call. Combined $USDC and $USDT supply on Aave falls from $7.65 billion to $3.96 billion in five days. ------------------------------------------------------------------------------------ 🗓 April 21: First Movements The attacker moves 75,701 ETH (~$175 million) to Ethereum mainnet and begins laundering via Thorchain, Umbra Cash, and Chainflip toward Bitcoin. Lazarus Group (the North Korean hacking collective behind the 2022 Ronin hack and 2025 Bybit hack) is identified as the likely operator. ------------------------------------------------------------------------------------ 🗓 April 22: Recovery Start Arbitrum Security Council moves fast freezing 30,766 ETH (~$71 million) held by the attacker on Arbitrum One. By doing so, it recovered roughly 25% of the total drained. ------------------------------------------------------------------------------------ 🗓 April 23: DeFi United Launches Five days after the exploit, Aave service providers launch DeFi United. The stated goal: raise enough ETH to restore the 112,204 rsETH shortfall: the gap between the 152,577 rsETH in outstanding remote-chain claims and the 40,373 rsETH Kelp recovered directly. First public commitment: Lido proposes contributing up to 2,500 stETH (~$5.7 million). EtherFi proposes 5,000 ETH: a direct competitor to Kelp in the liquid restaking market, treating this as a shared infrastructure problem. Stani Kulechov, Aave founder, pledges 5,000 ETH personally. "Aave is my life's work and we're working nonstop to find the best possible outcome for users." ------------------------------------------------------------------------------------ 🗓 April 24: First Contrbutions DeFi United reaches 69,534 ETH (~$161 million) in commitments from 14 contributors. Contributors confirmed at this stage: → Aave DAO 25,000 ETH proposed → Stani Kulechov 5,000 ETH personal → Emilio Frangella (Aave VP Engineering) 500 ETH → BGD Labs (Ernesto Boado) 100 ETH → BGD Labs 250 ETH → EtherFi 5,000 ETH → Lido 2,500 stETH → Mantle 30,000 ETH credit facility → Golem Foundation + Golem Factory 1,000 ETH combined → Renzo $10M+ deployed into Aave V3 markets → Kelp DAO 2,000 ETH (Source: The Block) ------------------------------------------------------------------------------------ 🗓 April 27: The $300M milestone Consensys and Joseph Lubin announce 30,000 ETH commitment: the largest single contribution by a non-Mantle participant. "The Ethereum ecosystem has always been at its best when it moves together." → Avalanche Foundation joins. Notable: Avalanche had zero direct exposure to the exploit. → Justin Sun and TRON DAO supply $20M USDT to Aave Core V3 as a show of support. → Babylon Foundation deposits $3M USDT Aave: $2M to V3, $1M to V4. → Circle Ventures begins purchasing AAVE tokens. → Compound DAO proposes 1,900 to 3,000 ETH contribution, targeting recovery of 16,776 ETH in exploiter positions on Compound. → Solana Foundation and additional unnamed individual contributors join the fund. Total pledges cross $300 million. ------------------------------------------------------------------------------------ 🗓 April 28 / May 1: The legal complication Aave announces that clearing the attacker's Ethereum and Arbitrum collateral positions would release approximately 13,000 ETH (~$30 million) into the recovery fund. A US law firm (Gerstein Harrow LLP) files a restraining notice in the Southern District of New York to prevent Arbitrum DAO from redistributing the 30,766 frozen ETH. The argument: the attacker is linked to North Korea, making the funds potential state assets. Aave files an emergency motion to vacate the restraining notice. Its counterargument: theft does not transfer legal title, these are user funds earmarked for victims, and freezing them creates irreparable harm to DeFi markets. Arbitrum DAO opens a temperature check vote on releasing the 30,766 ETH. Within the first hour: 16.9 million ARB tokens cast in favor, zero against. Voting closes May 7. -------------------------------------------------------------------------------------- 🗓 May 8: Where it stands DeFi United is approximately 10% short of the ETH needed to fully restore rsETH backing. Aave TVL has recovered from a local low of $14.2 billion on April 26 to above $15 billion. The 30,766 ETH on Arbitrum remains frozen pending the court's ruling on Aave's emergency motion. Pending commitments still needed from: Circle, Ethena, Frax, and Kraken's Ink L2. ------------------------------------------------------------------------------------ 💡 The unresolved question DeFi's largest coordinated recovery effort in history is 90% complete. The final 10% is stuck at the intersection of on-chain governance and off-chain law. Arbitrum DAO voted near-unanimously to release the funds. A US court filed a restraining notice anyway. If the court prevails, recovered funds from future exploits can be intercepted before reaching victims. The entire recovery coordination model stops working: protocols won't freeze attacker funds if doing so makes them legally targetable. If Aave's emergency motion succeeds, it sets a precedent that user restitution takes priority over state-sponsored asset claims in DeFi recovery scenarios. Either outcome defines the rules for every exploit that comes after this one.