CoinDesk
Aave has published an official postmortem on April's $230 million rsETH exploit — the most expensive DeFi attack of 2026 — and is using it to justify a sweeping overhaul of how it evaluates collateral risk. The attack originated not in Aave's own smart contracts, which functioned as designed, but in a LayerZero bridge verification failure that allowed a single compromised verifier to approve a forged cross-chain message, minting 116,500 unbacked rsETH on Ethereum. Those tokens were deposited into Aave as collateral and used to drain loans the protocol could not recover.
Going forward, Aave says collateral assessments will extend beyond the traditional triad of volatility, liquidity, and smart-contract audits to include bridge infrastructure, oracle dependencies, custodial arrangements, third-party contracts, and operational security practices. The protocol is also developing automated defenses that can instantly reduce a collateral asset's loan-to-value ratio to zero once predefined risk thresholds are breached — cutting off borrowing power before losses can cascade.
Since the exploit, Aave's risk managers have already executed roughly 295 parameter changes across V3 markets, including 168 supply-cap reductions and 66 borrow-cap reductions. LayerZero has separately acknowledged it "made a mistake" by allowing its verification system to operate in a one-of-one configuration for high-value assets. Aave's postmortem frames the incident as a structural warning for the entire DeFi sector: as protocols grow more interconnected, the infrastructure assets depend on is now as critical as the assets themselves.
CoinTelegraph
TheBlock