When DeFi's code can't finish the job, you call the lawyers.
The Summary
- Aave liquidated the remaining rsETH positions held by the Kelp DAO attacker, but only after governance voted to manually manipulate the oracle price to create a deficit.
- $71 million in recovered funds remains frozen while Aave pursues legal action to unlock them.
- DeFi's promise of trustless automation just hit a hard limit: sometimes you need a judge.
The Signal
The Kelp DAO attacker's positions were finally liquidated, but not through the normal automated liquidation process that defines DeFi. Instead, Aave governance had to vote to manually adjust the rsETH oracle price, artificially creating a health factor deficit that triggered the liquidation. In other words, the protocol couldn't fix itself. The community had to reach in and turn the dials.
This wasn't a bug in Aave's code. It was the logical endpoint of an exploit that started upstream at Kelp DAO. The attacker had deposited fraudulent rsETH collateral, borrowed against it, and created positions that were technically solvent according to Aave's oracles even though the underlying collateral was worthless. Standard liquidation mechanics don't fire when the math says everything is fine.
"Aave required a governance process to manipulate its rsETH oracle price to generate a deficit in the attacker's fraudulent position."
Now comes the messier part. Aave is fighting in court to unfreeze $71 million in recovered funds. The money is sitting somewhere in the traditional financial system, locked pending legal proceedings. The irony is thick: a protocol built to eliminate intermediaries now needs permission from a judge to access its own recovered assets.
This is the collision point between Web3's permissionless ideals and Web2's legal realities. You can write smart contracts that execute without asking anyone's permission, but the moment real money touches a bank account or a centralized exchange, you're back in the world of subpoenas and court orders. The attacker exploited Kelp DAO's code. The legal system is exploiting the fact that DeFi still plugs into legacy finance at every on-ramp and off-ramp.
Key tensions here:
- Governance can override oracle logic when the stakes are high enough
- "Trustless" doesn't mean "immune to human intervention"
- Recovery of stolen funds still bottlenecks at traditional legal choke points
The Implication
This case will shape how future DeFi protocols think about emergency powers and oracle manipulation. If governance can adjust prices to force liquidations, what stops that power from being abused? The answer, apparently, is courts and legal processes, which means DeFi is more dependent on legacy systems than the pitch deck suggests.
Watch how Aave structures guardrails around governance actions going forward. And if you're building in this space, accept that "code is law" is marketing. Real law is still law, and it moves slower than any blockchain.