Aave overhauls listing standards after $230 Million rsETH exploit exposed bridge risks

The most expensive DeFi attack of 2026 began with KelpDAO’s restaked ether (rsETH) bridge, not a bug in Aave’s code. That, the lending protocol argues in an official postmortem published this week, is precisely why the industry needs to rethink how it measures risk.

Aave said it is launching a review of every asset listed on V3 and rewriting its listing standards after April’s $230 restaked ETH exploit exposed a new class of DeFi risk.

The protocol’s postmortem traced the attack not to a flaw in Aave’s smart contracts but to a LayerZero bridge verification failure, where a single verifier approved a forged cross-chain message that released 116,500 unbacked rsETH.

Going forward, Aave says collateral assessments will weigh bridges, oracle dependencies, custodians and operational security alongside the financial and smart-contract risks it has traditionally screened for.

KelpDAO is a “restaking” service, which lets users take their ether that is already locked into Ethereum to earn staking rewards and reuse it as collateral to earn additional yield from other protocols. The token rsETH represents a user’s claim on that restaked ether. To move rsETH between blockchains, KelpDAO uses LayerZero, a piece of infrastructure called a cross-chain bridge that passes messages between networks so a token issued on one chain can show up on another.

Bridges rely on a set of independent verifiers who confirm each message is real before the receiving chain releases the equivalent tokens.

In April’s attack, just one of those verifiers approved a fake message, which let the attacker mint 116,500 rsETH on the receiving chain with no actual ether backing it.

Those tokens were then deposited into Aave, a lending protocol where users borrow against collateral they post, and used to take out loans Aave could not recover once the rsETH was revealed as worthless. Aave’s own code worked exactly as designed. The collateral it accepted turned out to be fake because the bridge that delivered it had been compromised.

While LayerZero acknowledged earlier this month that it “made a mistake” by allowing its own verification system to secure high-value assets in a one-of-one configuration, Aave’s postmortem goes further by using the incident to justify a broader overhaul of DeFi risk management.

The protocol argues that traditional reviews focused on volatility, liquidity and smart contract audits failed to capture the risks created by bridges, verification networks and other infrastructure that sits outside application code.

Beyond smart contract audits and financial risk analysis, Aave said it will now evaluate bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements, operational security practices, and secondary-market liquidity before approving or expanding collateral listings.

The protocol is also building new automated defenses designed to react faster when collateral assets show signs of distress. Among the proposals outlined in the postmortem is a system that would automatically reduce an asset’s loan-to-value ratio to zero once predefined risk thresholds are breached, removing its borrowing power before losses can spread through the broader market.

Since the exploit, Aave says its risk managers have already executed roughly 295 parameter changes across V3 markets, including 168 supply-cap reductions and 66 borrow-cap reductions aimed at limiting exposure to individual assets.

As DeFi protocols become more interconnected, Aave’s postmortem suggests the industry may need to scrutinize not only the assets it lists, but also the infrastructure those assets depend on