Aave overhauls listing standards after $230 Million rsETH exploit exposed bridge risks
An official postmortem traced the exploit to a LayerZero bridge verification failure and outlined a sweeping overhaul of Aave’s asset-listing standards as DeFi risks shift beyond smart contract bugs.
What to know:
- Aave said the record 2026 rsETH exploit stemmed from a failure in KelpDAO’s LayerZero-powered bridge, not a bug in Aave’s own smart contracts, prompting a sweeping review of all V3 assets and listing standards.
- In its postmortem, Aave detailed how attackers abused a single LayerZero verifier to forge a cross-chain message and mint 116,500 unbacked rsETH on Ethereum, exposing hidden risks in bridges and other off-chain infrastructure.
- Aave plans to overhaul its risk framework to scrutinize bridges, oracles, custodians and operational security, add automated defenses that can instantly strip collateral of borrowing power, and has already made hundreds of parameter changes to curb exposure.
The protocol’s postmortem traced the attack not to a flaw in Aave’s smart contracts but to a LayerZero bridge verification failure, where a single verifier approved a forged cross-chain message that released 116,500 unbacked rsETH.
Going forward, Aave says collateral assessments will weigh bridges, oracle dependencies, custodians and operational security alongside the financial and smart-contract risks it has traditionally screened for.
KelpDAO is a “restaking” service, which lets users take their ether that is already locked into Ethereum to earn staking rewards and reuse it as collateral to earn additional yield from other protocols. The token rsETH represents a user’s claim on that restaked ether. To move rsETH between blockchains, KelpDAO uses LayerZero, a piece of infrastructure called a cross-chain bridge that passes messages between networks so a token issued on one chain can show up on another.
