Loading prices…
🩸BEARISH

Aave revamps listing rules after $230M rsETH exploit

The protocol's code worked; the bridge that delivered 116,500 unbacked rsETH didn't — and Aave's response reframes where DeFi risk actually sits now.

Aave revamps listing rules after $230M rsETH exploit
Aave revamps listing rules after $230M rsETH exploit
Aave revamps listing rules after $230M rsETH exploit
Aave revamps listing rules after $230M rsETH exploit

Aave has published an official postmortem of April's $230 million rsETH exploit, tracing the loss not to a flaw in its own smart contracts but to a LayerZero bridge verification failure that let an attacker mint 116,500 unbacked rsETH on Ethereum and walk away with loans Aave could not recover. The protocol is now rewriting its asset-listing standards to scrutinize bridges, oracle dependencies, custodians and operational security alongside the financial and smart-contract risks it has traditionally screened for.

Why it matters

The exploit is the most expensive DeFi attack of 2026, and the mechanism matters more than the dollar number. A single LayerZero verifier approved a forged cross-chain message, releasing 116,500 rsETH onto Ethereum with zero ether backing it; those tokens were then deposited into Aave and used to borrow against collateral the protocol had every reason to believe was real. Aave's own code performed exactly as designed — the collateral was fake because the infrastructure that delivered it had been compromised.

LayerZero acknowledged earlier this month that it "made a mistake" by letting its own verification system secure high-value assets in a one-of-one configuration. Aave's postmortem pushes the implication further: traditional risk reviews — volatility, liquidity, smart-contract audits — failed to capture risks sitting in bridges, verification networks and other off-chain infrastructure. As DeFi composes more deeply across chains, the attack surface has moved outside application code into the plumbing that connects them.

Market impact

Aave is launching a sweeping review of every V3-listed asset and rebuilding its risk framework to evaluate bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements and operational security before any new or expanded collateral listing. The protocol is also building automated defenses, including a system that would automatically push an asset's loan-to-value ratio to zero once predefined risk thresholds are breached, stripping its borrowing power before losses can propagate.

The response is already operational.

Related tokens
$AAVE $ETH

Frequently asked questions

  1. What caused Aave's $230M rsETH exploit?

    A LayerZero bridge verification failure. A single verifier approved a forged cross-chain message that let an attacker mint 116,500 unbacked rsETH on Ethereum and use them as collateral to borrow funds Aave could not recover.

  2. Was Aave's own code hacked in the rsETH exploit?

    No. Aave said its smart contracts worked exactly as designed. The collateral it accepted turned out to be fake because the LayerZero-powered bridge that delivered the rsETH had been compromised, not because of any bug in Aave's own code.

  3. How is Aave changing its listing standards after the exploit?

    Aave is rewriting its risk framework to evaluate bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements and operational security alongside the financial and smart-contract risks it has traditionally screened for.

  4. What new defenses is Aave building for distressed collateral?

    Aave is building automated systems that react faster when collateral assets show signs of distress, including a proposal to automatically push an asset's loan-to-value ratio to zero once predefined risk thresholds are breached.

  5. How many parameter changes has Aave made since the rsETH exploit?

    Aave's risk managers have executed roughly 295 parameter changes across V3 markets since the exploit, including 168 supply-cap reductions and 66 borrow-cap reductions aimed at limiting exposure to individual assets.

Source attribution
Aggregated from CoinDesk · Verified · Last refreshed 46d ago
Open original →