After 2.92 billion dollars were stolen, rsETH withdrawals resumed, but 71 million dollars worth of frozen ETH is stuck in a North Korean terrorism compensation lawsuit.

Written by: ChandlerZ, Foresight News

On April 18, Kelp DAO's cross-chain bridge was attacked by North Korea's Lazarus Group, resulting in a loss of about 2.92 billion dollars. The Arbitrum security committee froze 30,766 ETH (about 71 million dollars) belonging to the attacker. A federal court in New York is currently hearing an unprecedented legal dispute in DeFi history over the ownership of these frozen funds.

On May 13, Judge Margaret Garnett of the U.S. District Court for the Southern District of New York postponed the originally scheduled emergency hearing to June 5, requiring Aave and the opposing law firm Gerstein Harrow to submit supplemental briefs by May 22, directly addressing six legal issues:

• Does the hacker transaction fall under New York's shelter doctrine?
• The legal distinction between fraud and theft, and whether the hacker has any legal interest in the stolen property.
• Which country's laws determine the creditor hierarchy for the frozen assets?
• Does constructive trust constitute appropriate judicial relief?
• Can Aave or Arbitrum identify individual victims and proportionally return funds?
• How do composite losses for Aave users occur in the context of the ongoing freeze?

The sixth point is particularly crucial. Aave previously argued in its emergency motion that the continued freezing of funds would lead to user liquidations, destabilizing the DeFi lending market, but Garnett felt that Aave did not clearly explain this chain of losses and requested additional clarification.

This is the second action taken by Judge Garnett. On May 9, she issued the first order modifying the scope of the injunction, allowing Arbitrum DAO to vote through on-chain governance to transfer the frozen ETH into a wallet controlled by Aave, stating that participating voters would not violate the freeze order. In other words, the issue of who has the right to act on the funds was resolved on May 9, while the substantive question remains for June 5.

Who is Gerstein Harrow?

On May 1, the American law firm Gerstein Harrow LLP filed a notice of injunction in the Southern District of New York, requesting that Arbitrum not release the ETH.

This law firm’s clients have no connection to the crypto world. Gerstein Harrow represents three groups of families holding judgments against North Korea for failing to enforce anti-terrorism rulings, amounting to approximately 877 million dollars:

• The Rev. Kim Dong-shik case (Kim v. DPRK, approximately 330 million dollars): Rev. Kim Dong-shik, a Korean pastor, was kidnapped by North Korean agents and went missing in 2000, after which his family obtained a ruling against North Korea in a U.S. court.
• The Hezbollah rocket attack case (Kaplan v. DPRK, approximately 169 million dollars): The plaintiffs claim North Korea provided weapons support to Hezbollah and seek compensation under the U.S. Anti-Terrorism Act.
• The 1972 Lod Airport massacre case (Calderon-Cardona v. DPRK, 378 million dollars): A terrorist attack that occurred at Israel's Tel Aviv Lod Airport, carried out by the Japanese Red Army under the direction of extremist PLO factions, resulting in 26 deaths; the plaintiffs identified North Korea as a relevant terrorist supporter in a U.S. court.

Gerstein Harrow’s legal theory is that on-chain analysis attributes this ETH to Lazarus, and since Lazarus is a North Korean state actor, this asset belongs to North Korean state property and should be prioritized for compensation to victims of terrorism with unsatisfied judgments.

On-chain investigator ZachXBT publicly criticized this as taking advantage of the situation, noting that Gerstein Harrow had attempted similar operations in previous cases related to North Korean hacking, claiming their entire work is to "read my post after I’ve done the hard part of gathering evidence." Security researcher Taylor Monahan more directly referred to it as "worse than ambulance chasers."

ZachXBT believes that Aave users are the actual victims of the attacker’s lending behavior, citing that there is no direct causal relationship between the anti-terrorism judgments for the victims and the losses of DeFi users, asserting that Gerstein Harrow's involvement is actually slowing down the victims' asset recovery process.

Aave initiates on-chain voting, rsETH withdrawal resumed on five chains

While the legal proceedings advance, the protocol layer repairs are also progressing at a faster pace.

Aave initiated a binding on-chain vote (AIP) on Arbitrum on May 12 to propose transferring 30,765 ETH from the security committee wallet into the Aave Recovery Guardian multi-signature controlled by Aave LLC. The voting opened on May 15 and is expected to take about eight days to complete, after which the ETH will still need to go through the standard L2 to L1 withdrawal delays before reaching the Ethereum mainnet.

On the same day, Kelp DAO announced that rsETH withdrawals, cross-chain bridging, and EigenLayer claiming functions have all been restored. In terms of technical fixes, the supply of forged rsETH by the attacker was fully liquidated and destroyed by May 7, with the first batch of 25,000 rsETH transferred on May 13 from the Aave Recovery Guardian multi-signature to the LayerZero OFT adapter, officially restarting cross-chain bridging.

Aave restructures the bug bounty system, key vulnerabilities in V3 up to 5 million dollars

While handling the follow-up events of the Kelp DAO incident, Aave Labs submitted a proposal for restructuring the bug bounty program (ARFC) to the governance forum on April 30. The proposal breaks down Aave DAO's current single bounty program into seven subsystem-specific projects, each hosted on three platforms: Immunefi manages Core Aave V3, V2, GHO, and non-liquid protocol infrastructure; Sherlock manages Aave V4 and the Aave App Stack; Cantina manages Aave V3 on Aptos.

Regarding the compensation standards, the most significant changes are for Core Aave V3, where the maximum reward for key vulnerabilities has increased from 1 million dollars to 5 million dollars, and the minimum reward has risen from 50,000 to 100,000 dollars. The cap for key vulnerabilities in Aave V4 has been increased from 500,000 to 2.5 million dollars. Community member robtg4 estimated in the governance forum that if each subsystem experiences an average of one key vulnerability per year, the total key compensation budget for the seven projects would range from about 5 million to 6 million dollars, and with high/medium/low-level vulnerabilities included, the total annual budget would reasonably fall between 8 million and 10 million dollars.

The proposal also suggests maintaining a multi-platform structure for 6 to 12 months, after which a decision on whether to integrate will be made based on the collection of sufficient operational data. LlamaRisk has expressed support, believing that the split structure can better match the actual risk profile of each subsystem.

As of the time of publication, rsETH withdrawals and cross-chain functionality have resumed, funds from DeFi United are being injected in batches, and Arbitrum governance voting is underway. The final ownership of the 71 million dollars worth of frozen ETH will await the hearing results from the federal court in New York on June 5. However, for Aave users and rsETH holders, the crisis on the technical level has been resolved, while uncertainties at the legal level continue.