TLDR
- Aave said the April rsETH exploit came from a LayerZero bridge verification failure, not a bug in its own code.
- The attacker used 116,500 unbacked rsETH as collateral on Aave, leaving the protocol with unrecoverable loans.
- Aave will review every V3 asset and expand collateral checks to include bridges, oracles, custodians, and operational risks.
- LayerZero admitted its one-of-one verification setup was a mistake for securing high-value assets.
- Aave said it has already made 295 changes to risk parameters across V3 markets since the exploit.
Aave has begun rewriting its collateral rules after an April rsETH bridge exploit left the protocol with unrecoverable DeFi losses.
Aave said in its postmortem that the incident did not come from a failure in its contracts. The lending protocol traced the exploit to KelpDAO’s restaked ether token, rsETH, and the LayerZero bridge setup used to move that asset across chains. According to Aave, a forged cross-chain message passed verification and released 116,500 rsETH without real ether backing the tokens.
Aave Blames External Infrastructure Risk
The postmortem said the attacker deposited unbacked rsETH into Aave V3 and used it as collateral to borrow assets, which could not be recovered after the fake backing became clear. Aave said its contracts operated as designed, but the collateral entered its markets through infrastructure outside its codebase.
LayerZero acknowledged that it made a mistake by allowing a high-value asset to rely on a one-of-one verification setup. Aave’s report used the incident to argue that DeFi risk reviews must now examine the systems behind listed assets, not only the assets themselves.
KelpDAO Bridge Failure Exposed rsETH Weakness
KelpDAO offers restaking services that let users reuse staked Ether exposure for extra yield across other protocols. Its rsETH token represents a claim on restaked ether, while LayerZero handles the messaging process that allows rsETH to move between blockchains.
In the April exploit, Aave said one verifier approved a false message. The receiving chain then released rsETH that had no matching ether behind it. Once those tokens reached Aave, the lending market treated them as acceptable collateral under existing rules.
Aave said it will now review every asset listed on V3. The protocol said future collateral checks will include bridges, oracle dependencies, third-party contracts, custodians, operational security, and secondary-market liquidity.
Previously, Aave said its reviews focused mainly on financial risk, liquidity, volatility, and smart contract audits. The postmortem said those checks were not enough for assets that depend on verification networks and cross-chain systems.
Automated Defenses Under Development
Aave said its risk teams have made 295 parameter changes across V3 markets since the exploit. Those updates included 168 supply-cap reductions and 66 borrow-cap reductions.
The protocol said it is considering automated protections that could cut an asset’s loan-to-value ratio to zero after preset risk limits are breached. Aave said the measure would remove borrowing power from distressed collateral before losses spread.
