- Aave will review all V3 assets after the $230 million KelpDAO rsETH exploit exposed bridge risks beyond smart contract code.
- Attackers minted 116,500 unbacked rsETH through a LayerZero bridge failure before using the tokens as Aave collateral.
Aave plans to overhaul how it lists collateral after the $230 million rsETH exploit exposed risks beyond smart contract code. The protocol said the attack started with KelpDAO’s LayerZero-powered bridge, not with Aave’s own contracts.
The incident ranks as the most expensive DeFi hack of 2026 so far. It also pushed Aave to review every asset listed on V3 and tighten the standards used before collateral enters its lending markets.
According to Aave’s postmortem, attackers exploited a bridge verification failure tied to KelpDAO’s restaked ether token, rsETH. They abused a weak verification setup and created a forged cross-chain message that allowed them to mint 116,500 unbacked rsETH on Ethereum.
— Aave (@aave) May 31, 2026
Those tokens later entered Aave as collateral. Once inside the lending protocol, the attacker borrowed against rsETH that had no real backing. Aave said its contracts worked as designed, but the collateral lost value after the bridge failure exposed the fake supply.
KelpDAO’s rsETH represents a claim on restaked ether. Restaking lets users place already-staked ETH into additional protocols to earn extra yield. However, moving that token across chains depends on bridge infrastructure, which carries its own security risks.
LayerZero helps move messages between blockchains. In this case, Aave said a single verifier approved a false message. That setup allowed the attacker to bypass proper checks and create tokens without matching ether behind them.
Meanwhile, Aave has been among the major crypto firms backing a new transparency alliance with Ripple, Binance US, Coinbase, Kraken, and Grayscale. The group aims to set clearer token disclosure standards, covering team vetting, token supply, financial records, and market structure.
Aave Expands Collateral Reviews Beyond Code
Aave now plans to judge collateral through a wider risk framework, extending its review to liquidity conditions, oracle systems and bridges before approving an asset for listing. It will also vet the asset’s third-party contracts, operational controls and its custodians.Â
Under the existing listing model, Aave focused only on auditing an asset’s smart contracts and checking its liquidity and price volatility. The network said that this approach no longer covers the full risk profile of assets that depend on external infrastructure.
The rsETH exploit showed how a failure outside a lending protocol can still create losses inside it. Aave accepted the token under its normal market rules, but the asset’s bridge design created a weakness that standard collateral checks did not fully capture.
LayerZero later acknowledged that its verification setup allowed high-value assets to rely on a one-of-one configuration. Aave’s postmortem used that point to support broader changes across DeFi risk management.
Automated defenses also form part of Aave’s new plan. The protocol requires systems that can respond faster when listed assets show signs of stress. One proposed tool would reduce an asset’s loan-to-value ratio to zero when preset risk limits are breached.
That action would remove borrowing power from risky collateral before losses spread across the market. Such controls could help lending protocols respond more quickly during bridge failures, oracle problems, or sudden liquidity shocks.
Aave has started with V3 markets, introducing nearly 300 updates that introduce 168 cuts to the supply cap and 66 cuts to the borrowing cap. New assets may now face deeper checks on bridge security, verifier design, custody controls, and market liquidity before Aave expands support.
Recently, Aave explored native Bitcoin borrowing through Babylon’s Trustless Bitcoin Vaults under a V4 temp check proposal. The plan would let investors use native BTC as collateral on Aave without relying on wrapped assets.
