Aave filed an emergency motion last week to release millions of dollars of frozen ETH from an injunction issued against Arbitrum DAO, turning what started as a coordinated exploit recall into a legal dispute.
Aave LLC said the injunction notice was served on Arbitrum DAO on May 1 and seeks the seizure of approximately $71 million in ETH that Aave claims belonged to victims of the April 18 exploit. The company asked the court for a speedy hearing and temporary eviction, arguing that the recovered assets were designated for the return of users and should not be frozen for external claims.
ETH was frozen by Arbitrum’s Security Council on April 21st after Lazarus Group stole approximately 116,500 rsETH from Kelp DAO’s LayerZero bridge three days ago.
The council exercised 9 out of 12 emergency powers to move 30,765 ETH without the attacker’s keys and designate it as a recovery pool.
Aave’s April 24 funding update brought the initial hole size to 163,183 ETH. Between Kelp’s own freeze, Arbitrum’s actions, and the expected liquidation of Aave, the Coalition closed about 52.9% of that gap.
DeFi United raised over $300 million in commitments for the rest, Mantle contributed a credit line of up to 30,000 ETH, and Aave requested 25,000 ETH from the Treasury.
The injunction, approved by a court in the Southern District of New York, covered frozen funds.
The plaintiffs’ theory appears to be based on alleged exploits by the Lazarus Group, a North Korean hacking operation, and previous court decisions related to North Korea. Aave’s motion challenges the leap from the attacker’s purported control to legitimate ownership, arguing that stolen assets do not become seizable property simply because they are held temporarily by the thief.
This service plan included posting on Arbitrum’s governance forums and mailing copies to the legal entity behind the Arbitrum DAO, Security Council members, and large ARB holders, and included warnings of potential legal consequences for governance parties if they did not comply.
Establishment of legal face governance
The first argument in Aave’s complaint is that the stolen assets are not the thieves’ legal property because they were temporarily held by them, and the second is that Arbitrum DAO is not a legal entity capable of providing services.
This second argument is based on already contested legal grounds, as U.S. courts have shown a willingness to treat DAOs as general partnerships or actionable classes. Lido DAO faced its treatment based on previous litigation, including bZx and Compound-related litigation.
Travers Smith’s analysis of the Kelp episode noted that Arbitrum’s exposure was rooted in documented and implemented emergency action mechanisms, with reachability centered on governance structures and demonstrated controls.
Representatives on Arbitrum’s forum were already asking questions about indemnity spots, advance payment of legal fees, and litigation risks even before Aave filed its complaint.
This fear predates the court filing, noting that all protocols establishing and using emergency recovery powers also establish a written administrative record that can be read by external claimants.
DeFi United’s response has proven that major protocols will override immutability if the losses are large enough, and that that ability helps users while exposing the means of governance that courts seek to reach.
When a governing body freezes, segregates, and publicly labels assets as recoverable, the assets become an identifiable pool that unrelated creditors can target, especially if the attacker has documented ties to the sanctioned state or judgment debtor.
The multisig and snapshot voting infrastructure that enabled the response to the Kelp exploit does not have built-in mechanisms for handling competing court claims, personal liability notices to Security Council members, or creditor claims that recovered assets are seizable.
| Governance function | what did you do in this case | Why did you help the victim? | Why did the legal exposure occur? |
|---|---|---|---|
| Emergency powers of the Arbitration and Security Council | Freezes and moves 30,765 Ethereum without the attacker’s key | Save some of the stolen value for recovery | Demonstrated real control points that courts can target |
| Recovery designated wallet/pool | Separate funds for complete effort | Made recovery plans easy to read and actionable | Assets are now identifiable and easier to point out to external claimants. |
| DAO Governance Forum | Now part of your service plan | Providing transparency around remediation | Turned the governance channel into a place where legal proceedings can be posted. |
| Security Council members/governance bodies | Now part of the notification and service boundary | Enabling rapid crisis response | Growing concerns about personal liability and litigation risk |
| Multisig + snapshot style cooperation | DeFi United-style responses can now be implemented quickly | Helps coordinate cross-protocol rescues | Does not incorporate answers to competing court claims or creditor limitations |
Potential consequences of the motion
Bull’s lawsuit calls for the court to quickly accept Aave’s victim-first logic and lift the bond.
As a result, if the protocol clearly documents rights and destinations from the outset, governance-managed recovery can gain judicial validation because emergency intervention can override immutability in a crisis without automatically converting all recovery wallets into seizable creditor property.
Protocols that invest in pre-arranged claims waterfalls, indemnity policies, and entity wrappers around emergency remediation can help you act faster and with more legal confidence against future crises.
Aave stands as DeFi’s largest lending protocol, with nearly $15 billion in total locks and $12.1 billion in active loans, and a favorable ruling would impact the entire DeFi lending category, which totals approximately $42.7 billion.
The bear case develops when detention lasts long enough for Security Council members and Protocol representatives to be reluctant to intervene in future exploits.
Each successful recovery creates a documented administrative record, and each court challenge to that record increases the risk of personal liability for voting governance participants.
Emergency governance becomes more cautious if representatives conclude that participating in a recovery proposal would expose them to litigation or forum service, even if the technical ability of the freeze is intact.
Kelp’s response covered more than half of the initial shortfall through governance activities and capital adjustments. In a world where that coordination becomes legally risky, the fallout will not be resolved and the DeFi United model will have no viable successor.
DefiLlama’s hacking dashboard tracks hacks totaling approximately $16.5 billion, including approximately $7.7 billion in DeFi.
Travers Smith noted that the Drift and Kelp incidents ranked among the biggest DeFi exploits of 2026, occurred within 18 days of each other, and exposed governance vulnerabilities. This pattern makes recovery design a recurring infrastructure issue.
DeFi currently has the exact paradox that users want emergency intervention at the moment of exploitation, and with each successful intervention, governance seems more legally reachable.
Aave’s motion asks the court to hold both at the same time, allowing it to continue protecting assets exclusive to victims while legally rendering invisible the governance infrastructure that protected them.
The outcome will determine whether the next DeFi crisis results in a coordinated response or a legal battle.
(Tag translation) Featured
