As you’re likely well aware by now, on April 18th, 2026, attackers exploited a weakness in KelpDAO’s LayerZero bridge infrastructure, causing roughly 116,500 rsETH worth approximately $292 million to be illegitimately released from the bridge’s Ethereum-side escrow. Across social media, it was widely attributed the attack to North Korea’s Lazarus Group. Rather than selling the stolen tokens immediately, the attacker deployed them as collateral across multiple lending protocols, opening positions on Aave, Compound v3, and Euler in order to borrow real assets against unbacked rsETH before anyone could intervene.

The Compound v3 position became one of the most closely watched parts of the crisis. On-chain data shows the attacker moving rapidly on April 18th, supplying rsETH in tranches, borrowing ETH and wstETH against it, and making partial withdrawals within the same fifteen-minute window to manage their collateral ratio. Within minutes of the exploit, the position was live and borrowing real assets against tokens that had no legitimate backing.

The attacker’s position then sat technically healthy at market prices throughout the weeks that followed, while the protocol’s rsETH markets were frozen and loan-to-value ratios set to zero. Compound’s normal liquidation mechanisms had no grounds to act. Conventional protocol logic offered no path to recovery.

Why Normal Liquidation Could Not Work

In standard DeFi lending, a liquidation is triggered automatically when a borrower’s collateral value drops below the required threshold. Because rsETH had not collapsed in market price, the attacker’s position on Compound remained above water by those measures. The stolen rsETH still priced normally, even though it was fundamentally unbacked. There was no admin key, no circuit breaker, and no centralized party capable of simply freezing the account. Governance was the only lever available.

The Governance-Driven Solution

The Compound Foundation and its service providers, working alongside risk partners including Gauntlet, engaged with relevant counter-parties to assess Compound’s exposure and identify a resolution pathway. Their assessment was that direct protocol exposure would be limited under most plausible scenarios, but they recognized that participation in a coordinated response was important not only for Compound’s own position, but for market integrity and cross-protocol confidence.

Gauntlet submitted a separate technical proposal to introduce a modified oracle for Compound’s rsETH markets. The new oracle retained the existing Kelp DAO exchange rate feed as its primary source under normal conditions, but added configurable minimum and maximum price bounds operable by the Compound multisig. By setting the oracle’s price floor temporarily below market value, the proposal made it possible to push the attacker’s position into a technically undercollateralized state, triggering liquidation eligibility without touching any unrelated market parameters.

Once the governance proposal passed and the oracle adjustment was applied, a DeFi United Recovery Guardian multisig stepped in to repay the borrowed assets and seize the rsETH collateral. The DeFi United technical plan had targeted approximately 16,776 ETH worth of funds from Compound’s market. After the collateral was seized, it was redeemed through KelpDAO’s redemption system and converted back into ETH, which was then used to help refill the damaged bridge lockbox that originally backed rsETH. Once the process completed, the oracle was restored to normal market levels, with no persistent configuration changes to the Compound protocol.

The chart below captures the full arc of the event across the February to May 2026 period. The red line tracking Compound v3 collateral total supplied in rsETH builds steadily from mid-March as the attacker’s position accumulated, reaches its peak following the April 18th exploit, then drops sharply as the governance-triggered liquidation clears the position. The green price line for rsETH shows no significant collapse during the liquidation itself, confirming that the process did not cause a disorderly market selloff.

What This Illustrated About DeFi Governance

The liquidation itself, when it came, was notable for its precision. On May 9th at 02:30 UTC, Santiment data recorded $29,044,839 in Compound v3 liquidations, covering 12,426.70 rsETH, at a price of $2,337.29. It was one of the largest single liquidation events in Compound’s history, yet rsETH’s price showed no meaningful distress at that moment. The collateral was removed cleanly, without triggering a broader market selloff.

The episode became a reference point for how decentralized finance can respond to exploits that sit outside the reach of automated mechanisms. When the attacker’s position could not be liquidated by normal means, governance effectively acted as an emergency instrument, adjusting oracle parameters in a targeted, temporary, and reversible way to recover stolen collateral without socialising losses to ordinary users.

Critics noted that this required a small group of insiders to coordinate parameter changes that directly determined the outcome for hundreds of millions of dollars in positions. Supporters argued it demonstrated exactly the kind of mature, accountable coordination that decentralised systems need when automated rules hit their limits. Either way, the Compound liquidation was a clear illustration that DeFi governance, when coordinated effectively, can function as something resembling an emergency intervention mechanism, closer in practice to a central bank backstop than to a purely automated market.

-----

Free two-week trials to Sanbase PRO (to access all mentioned Santiment data in this article, and plenty more) are AVAILABLE HERE!

-----

Disclaimer: The opinions expressed in the post are for general informational purposes only and are not intended to provide specific advice or recommendations for any individual or on any specific security or investment product.