News 
Coin Information 
About us 
Customer Service 
Aave has announced a major overhaul of its risk management framework following the $230 million rsETH exploit in April 2026, one of the largest decentralized finance (DeFi) attacks of the year. According to the lending protocol’s newly released postmortem, the incident did not result from a vulnerability in Aave’s smart contracts. Instead, the attack originated from a failure in the bridge infrastructure supporting KelpDAO’s restaked Ether (rsETH), highlighting a growing category of risks facing the DeFi sector.
The exploit was linked to LayerZero, the cross-chain bridge used by KelpDAO to transfer rsETH between blockchain networks. KelpDAO operates as a restaking platform, allowing users to earn additional yield by reusing already staked Ethereum as collateral. The rsETH token represents ownership of that restaked Ether.
Bridges depend on independent verification systems to validate cross-chain messages before assets are released on a destination network. In this case, a single verifier mistakenly approved a fraudulent message, enabling an attacker to mint 116,500 unbacked rsETH tokens. The attacker then deposited the counterfeit tokens into Aave and borrowed assets against them. Once the tokens were discovered to have no underlying Ether backing, the loans became unrecoverable.
Aave emphasized that its protocol functioned as intended, but the collateral accepted through the compromised bridge exposed weaknesses in traditional DeFi risk assessment models. The company argues that focusing solely on smart contract audits, liquidity, and volatility is no longer sufficient in an increasingly interconnected ecosystem.
As a result, Aave plans to revise its V3 asset listing standards and expand evaluations to include bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements, operational security, and market liquidity. The protocol is also developing automated safeguards that could reduce an asset’s loan-to-value ratio to zero when predefined risk thresholds are triggered.
Since the incident, Aave’s risk management teams have implemented approximately 295 parameter adjustments across V3 markets, including 168 supply-cap reductions and 66 borrow-cap reductions. The changes are designed to limit exposure to potentially vulnerable assets and strengthen protection against future DeFi exploits.
The postmortem underscores a broader industry challenge: as decentralized finance grows more interconnected, protocols must evaluate not only the assets they support but also the infrastructure and external systems those assets rely on.
Comment 0