The Aave protocol has revised its asset listing standards following an April incident involving rsETH that threatened to create hundreds of millions of dollars in bad debt for the project.
— Aave (@aave) May 31, 2026
The incident was caused by a verification failure in the LayerZero bridge used by the Kelp project, rather than a vulnerability in Aave's smart contracts. An attacker exploited a configuration error in one of the verifiers to forge a cross-chain message and issue 116,500 unsecured rsETH tokens (worth $293 million).
The assets were deposited into Aave as collateral. Since rsETH was in eMode with a high loan-to-value (LTV) ratio of 93%, the attacker borrowed liquid assets that the protocol could not recover after rsETH depreciated.
The new framework for versions V3, V4, and Horizon expands the risk assessment criteria. Now, in addition to volatility and liquidity, Aave will consider:
- the reliability of bridge infrastructure and the number of token wrapping layers;
- dependencies on external oracles and custodians;
- technical architecture (ERC-20 compliance, admin rights, and code upgradeability);
- the operational security of the asset issuer.
The team also proposed implementing automated protective mechanisms. These will allow for the immediate resetting of an asset's LTV upon reaching critical risk thresholds, without waiting for governance decisions.
Risk managers have already made around 295 adjustments to the V3 market parameters, including reducing supply and borrowing limits to minimize the impact of similar incidents.
Auditors from OpenZeppelin confirmed that the incident resulted from miscalculations in infrastructure configuration and risk management, rather than bugs in Aave or Kelp's code.
As a reminder, on May 25, Kelp restored the collateral for rsETH, with the team sending a final tranche of 20,373 rsETH to the LayerZero smart contract.