The most expensive DeFi attack of 2026 started with KelpDAO’s restakted ether (rsETH) bridge, not a bug in Aave’s code. That, the credit protocol argues in an official postmortem published this week, is precisely why the industry needs to rethink how it measures risk.
Aave said it is launching a review of every asset listed on V3 and rewriting listing standards after the $230 repurposed ETH exploit in April exposed a new class of DeFi risks.
The protocol post-mortem traced the attack not to a flaw in Aave’s smart contracts, but to a failed verification of the LayerZero bridge, where a single verifier approved a spoofed cross-chain message that released 116,500 unbacked rsETH.
Going forward, Aave says collateral assessments will weigh bridges, oracle dependencies, custodians and operational security in addition to the financial and smart contract risks it has traditionally screened for.
KelpDAO is a “residual taking” service, which allows users to use their ether already locked up in Ethereum to earn stake rewards and reuse it as collateral to earn additional yield from other protocols. The token rsETH represents a user’s claim to that recycled ether. To move rsETH between blockchains, KelpDAO uses LayerZero, a piece of infrastructure called a cross-chain bridge that passes messages between networks so that a token issued on one chain can appear on another.
Bridges rely on a series of independent verifiers to confirm that each message is genuine before the receiving chain releases the equivalent tokens.
In the April attack, only one of those verifiers approved a fake message, allowing the attacker to earn 116,500 rsETH on the receiving chain without any actual ether behind it.
Those tokens were then deposited into Aave, a lending protocol where users borrow against collateral they post, and used to make loans that Aave was unable to recover once the rsETH was revealed as worthless. Aave’s proprietary code worked exactly as designed. The collateral it accepted turned out to be fake because the bridge that delivered it was compromised.
While LayerZero acknowledged earlier this month that it “made a mistake” by allowing its own verification system to secure valuable assets in a one-to-one setup, Aave’s postmortem goes further by using the incident to justify a broader overhaul of DeFi risk management.
The protocol states that traditional assessments focused on volatility, liquidity, and smart contract audits have failed to capture the risks caused by bridges, authentication networks, and other infrastructure that lies outside the application code.
In addition to smart contract audits and financial risk assessments, Aave said it will now evaluate bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements, operational security practices and secondary market liquidity before approving or expanding collateral offerings.
The protocol also builds new automated defense mechanisms designed to respond more quickly when collateral assets show signs of distress. Among the proposals outlined in the postmortem is a system that would automatically reduce an asset’s loan-to-value ratio to zero once predefined risk thresholds are exceeded, removing borrowing power before losses can spread across the wider market.
Since the exploit, Aave says its risk managers have already implemented roughly 295 parameter changes in the V3 markets, including 168 supply limit reductions and 66 lending limit reductions aimed at limiting exposure to individual assets.
As DeFi protocols become increasingly interconnected, Aave’s postmortem suggests that the industry may need to examine not only the assets it lists, but also the infrastructure on which those assets depend.