Aave is implementing significant changes to its asset-listing standards in response to the $230 million exploit of rsETH, which highlighted vulnerabilities in bridge technology.

An official postmortem traced the exploit to a LayerZero bridge verification failure and outlined a sweeping overhaul of Aave's asset-listing standards as DeFi risks shift beyond smart contract bugs.

By Sam Reynolds|Edited by Shaurya Malwa Jun 1, 2026, 5:04 a.m. 3 min read

What to know:

  • Aave reported that the unprecedented rsETH exploit in April 2026 originated from a failure in KelpDAO’s LayerZero bridge, rather than a flaw in Aave’s smart contracts, prompting a comprehensive review of all V3 assets and listing protocols.
  • The postmortem revealed that attackers took advantage of a single LayerZero verifier to create a fraudulent cross-chain message, resulting in the minting of 116,500 unsupported rsETH tokens on Ethereum and exposing systemic risks in bridges and off-chain systems.
  • Aave intends to reform its risk management framework to examine bridges, oracles, custodians, and operational security more closely, implement automated defenses capable of quickly nullifying the borrowing power of collateral, and has already executed numerous parameter adjustments to limit risk exposure.

The 2026 rsETH exploit is recorded as the largest DeFi attack of the year and was initiated through KelpDAO's bridge for restaked ether (rsETH), according to Aave. The protocol contends in an official postmortem published this week that this incident underscores the need for a reevaluation of risk assessment practices across the industry.

Aave is beginning a comprehensive review of every asset on V3 and is rewriting its asset-listing criteria following the exploit that unveiled a new category of risk within DeFi.

The postmortem clarified that the breach was not due to a defect in Aave's smart contracts but was instead linked to a verification failure within the LayerZero bridge, where a single verifier accepted a forged cross-chain message, allowing the creation of 116,500 unsupported rsETH.

Moving forward, Aave plans to incorporate evaluations of bridges, oracle dependencies, custodians, and operational security in addition to the traditional financial and smart-contract risk assessments.

KelpDAO operates as a "restaking" service, enabling users to leverage their locked ether to earn staking rewards while simultaneously using it as collateral to gain additional yields from various protocols. The rsETH token signifies a user's entitlement to their restaked ether. To facilitate the transfer of rsETH across blockchains, KelpDAO utilizes LayerZero, a cross-chain bridge infrastructure that transmits messages between networks, allowing tokens issued on one chain to appear on another.

Bridges depend on a network of independent verifiers to validate each message before the corresponding tokens are released on the receiving chain.

In April’s exploit, a lone verifier approved a fraudulent message, permitting the attacker to mint 116,500 rsETH on the destination chain without any actual ether backing it.

These tokens were subsequently deposited into Aave, where users could borrow against their collateral, leading to loans that Aave could not recover once the rsETH was identified as worthless. Aave’s code functioned as intended; however, the collateral it accepted was ultimately invalid due to the compromised bridge.

LayerZero admitted earlier this month that it had "made a mistake" by allowing its verification system to secure high-value assets in a one-of-a-kind configuration. Aave's postmortem suggests that the incident warrants a broader rethinking of risk management in DeFi.

Aave argues that conventional risk assessments focusing on volatility, liquidity, and smart contract audits did not adequately capture the risks introduced by bridges, verification networks, and other external infrastructures.

In addition to smart contract audits and financial risk evaluations, Aave will now also assess bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements, operational security protocols, and secondary-market liquidity before approving or expanding collateral listings.

The protocol is also developing new automated safeguards designed to respond promptly when collateral assets exhibit signs of distress. Among the proposals discussed in the postmortem is a system that would automatically reduce an asset's loan-to-value ratio to zero once specific risk thresholds are breached, effectively removing its borrowing capacity before losses can propagate through the broader market.

Since the exploit, Aave has reported that its risk management team has executed approximately 295 parameter changes across V3 markets, which include 168 supply-cap reductions and 66 borrow-cap reductions aimed at minimizing exposure to individual assets.

As DeFi protocols grow increasingly interconnected, Aave's postmortem indicates that the industry may need to examine not only the assets it lists but also the underlying infrastructure these assets rely on.