The Aave protocol has revised its asset listing standards following the April incident involving rsETH, which threatened the project with a potential bad debt of hundreds of millions of dollars.
— Aave (@aave) May 31, 2026
The incident was caused by a verification failure in the LayerZero bridge used by the Kelp project, rather than a vulnerability in the lending platform’s smart contracts. An attacker exploited a configuration error in one of the verifiers to forge a cross-chain message and issue 116,500 unsecured rsETH tokens ($293 million).
The assets were deposited into Aave as collateral. Since rsETH was in eMode with a high LTV (93%), the attacker borrowed liquid assets that the protocol would not be able to recover after rsETH devaluation.
The new framework for versions V3, V4, and Horizon expands risk assessment criteria. In addition to volatility and liquidity, Aave will now consider:
- the reliability of bridge infrastructure and the number of token wrapping layers;
- dependencies on external oracles and custodians;
- technical architecture (compliance with ERC-20, admin rights, and code upgradeability);
- operational security of the asset issuer.
The team also proposed implementing automated protective mechanisms. These would allow the LTV of an asset to be instantly reset upon reaching critical risk thresholds, without waiting for governance decisions.
Risk managers have already made around 295 adjustments to the parameters of V3 markets, including reducing supply and borrowing limits to minimize the impact of similar incidents.
Auditors from OpenZeppelin confirmed that the incident resulted from miscalculations in infrastructure configuration and risk management, rather than bugs in Aave or Kelp’s code.
On May 25, Kelp restored rsETH collateral, with the team sending a final tranche of 20,373 rsETH to the LayerZero smart contract.