On April 18, Kelp DAO's cross-chain bridge was attacked by the North Korean Lazarus Group, resulting in a loss of approximately $292 million. The Arbitrum Security Council froze the attacker's 30,766 ETH (about $71 million). The ownership of this frozen fund is currently subject to an unprecedented legal dispute in DeFi history in the New York Federal Court.
On May 14, Judge Margaret Garnett of the Southern District of New York Federal Court postponed the scheduled emergency hearing to June 5, requesting Aave and the opposing law firm Gerstein Harrow to submit supplemental briefs by May 22, addressing six legal questions:
· Whether the hacker's transaction falls under New York State's shelter doctrine
· The legal distinction between fraud and theft, and whether the hacker has any legal equitable interest in the stolen property
· Which country's law governs the priority of the frozen assets' creditors
· Whether a constructive trust constitutes an appropriate judicial remedy
· Whether Aave or Arbitrum can identify individual victims and proportionately return funds
· How Aave users' compound losses actually occur during the ongoing freeze
The sixth point is particularly crucial. Aave argued in its previous emergency motion, stating that the continued freezing of funds would trigger user liquidations, instability in the DeFi lending market, and other chain reaction losses. Garnett believed that Aave did not adequately explain this chain of losses and requested further arguments.
This marks Judge Garnett's second intervention. On May 9, she issued the first order, modifying the scope of the restraining order to allow the Arbitrum DAO to transfer the frozen ETH to a wallet controlled by Aave through on-chain governance voting. Participants in the vote would not be in violation of the freeze order. In other words, the procedural issue of fund mobility was resolved on May 9, leaving the substantive issue of who has the right to move the funds to June 5.
Who Is Gerstein Harrow
On May 1, the U.S. law firm Gerstein Harrow LLP filed a restraining order notice with the Southern District of New York, requesting Arbitrum not to release this ETH.
This law firm's client has no connection to the crypto world. Gerstein Harrow represents three groups of families holding unenforced anti-terrorism judgments against North Korea, totaling approximately $877 million:
· Pastor Kim Dong-shik Case (Kim v. DPRK, approximately $330 million): Korean-American pastor Kim Dong-shik was kidnapped by North Korean agents at the China-North Korea border in 2000, disappeared, and was killed. His family obtained a judgment against North Korea in a U.S. court.
· Hezbollah Rocket Attack Case (Kaplan v. DPRK, approximately $169 million): The plaintiff claims North Korea provided weapons support to Hezbollah and applied for compensation under U.S. anti-terrorism laws.
· 1972 Lod Airport Massacre Case (Calderon-Cardona v. DPRK, $378 million): A terrorist attack at Lod Airport in Tel Aviv, Israel, in 1972, carried out by the Japanese Red Army on behalf of a PFLP-EO faction, resulting in 26 deaths. The plaintiff in a U.S. court identified North Korea as a relevant terrorist-supporting party.
Gerstein Harrow's legal theory is that since on-chain analysis attributes this ETH to Lazarus, and Lazarus is a state actor of North Korea, then this asset belongs to the North Korean state and should be prioritized for compensating anti-terrorism victims holding unenforced judgments.
Blockchain investigator ZachXBT publicly criticized this as an opportunistic move, pointing out that Gerstein Harrow had previously attempted similar actions in cases involving North Korean-linked hackers on Harmony, Bybit, and other platforms, stating that the law firm's entire work is "reading my post after I've done the hard part of collecting evidence." Security researcher Taylor Monahan went as far as calling it "worse than ambulance chasing."
ZachXBT believes that Aave users are the actual victims of the attacker's loan behavior, and there is no direct causal relationship between anti-terrorism heirs' judgments and DeFi users' losses. Gerstein Harrow's intervention is actually slowing down the process of recovering funds for the victims.
Aave Initiates On-Chain Vote, rsETH Five-Chain Withdrawal Recovery
While legal proceedings move forward, protocol-layer fixes are progressing at a faster pace in parallel.
Aave initiated a binding on-chain vote (AIP) on Arbitrum on May 12th, proposing to transfer 30,765 ETH from the Security Council wallet to the Aave Recovery Guardian multisig controlled by Aave LLC.
The vote opened on May 15th and is expected to take about eight days to complete, after which the ETH will undergo the standard L2 to L1 withdrawal delay before reaching the Ethereum mainnet.
On the same day, Kelp DAO announced that the rsETH withdrawals, cross-chain bridging, and EigenLayer claiming features have all been restored. In terms of technical fixes, the attacker's fake rsETH supply was liquidated and burnt on May 7th, with the first batch of 25,000 rsETH transferred from the Aave Recovery Guardian multisig to the LayerZero OFT adapter, officially restarting cross-chain bridging.
Aave Bug Bounty Restructure, V3 Core Critical Bug up to $5 million
Following the resolution of the Kelp DAO incident, Aave Labs submitted a Bug Bounty Program restructure proposal (ARFC) to the governance forum.
The proposal aims to split Aave DAO's current single bounty program into 7 subsystem-specific programs hosted on three platforms: Immunefi responsible for Core Aave V3, V2, GHO, and illiquid protocol infrastructure; Sherlock for Aave V4 and Aave App Stack; Cantina for Aave V3 on Aptos.
In terms of compensation standards, the most significant change is for Core Aave V3, where the maximum bounty for critical bugs has been increased from $1 million to $5 million, with the minimum payout raised from $50,000 to $100,000. The upper limit for Aave V4 critical bugs has been raised from $500,000 to $2.5 million.
Community member robtg4 estimated on the governance forum that if each subsystem triggers one critical bug per year on average, the total critical payout budget for the seven projects is around $5 to $6 million, with high/medium/low severity bugs, the total annual budget falls in the reasonable range of $8 to $10 million.
The proposal also suggests maintaining the multi-platform architecture for 6 to 12 months, deciding on integration only after collecting sufficient operational data. LlamaRisk has expressed support, believing that the split structure better aligns with the actual risk profile of each subsystem.
At the time of writing, the rsETH withdrawal and cross-chain functions have been restored, the fund injection by DeFi United is progressing in batches, and the Arbitrum governance vote is underway. The final ownership of $71 million frozen ETH is pending the outcome of a hearing in the New York Federal Court on June 5.
While the technical crisis has been averted for Aave users and rsETH holders, the legal uncertainty persists.
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
