The most costly DeFi assault of 2026 started with KelpDAO’s restaked ether (rsETH) bridge, not a bug in Aave’s code. That, the lending protocol argues in an official postmortem printed this week, is exactly why the business must rethink the way it measures danger.
Aave mentioned it’s launching a overview of each asset listed on V3 and rewriting its itemizing requirements after April’s $230 restaked ETH exploit uncovered a brand new class of DeFi danger.
The protocol’s postmortem traced the assault to not a flaw in Aave’s sensible contracts however to a LayerZero bridge verification failure, the place a single verifier accepted a solid cross-chain message that launched 116,500 unbacked rsETH.
Going ahead, Aave says collateral assessments will weigh bridges, oracle dependencies, custodians and operational safety alongside the monetary and smart-contract dangers it has historically screened for.
KelpDAO is a “restaking” service, which lets customers take their ether that’s already locked into Ethereum to earn staking rewards and reuse it as collateral to earn extra yield from different protocols. The token rsETH represents a consumer’s declare on that restaked ether. To maneuver rsETH between blockchains, KelpDAO makes use of LayerZero, a bit of infrastructure referred to as a cross-chain bridge that passes messages between networks so a token issued on one chain can present up on one other.
Bridges depend on a set of unbiased verifiers who affirm every message is actual earlier than the receiving chain releases the equal tokens.
In April’s assault, simply a type of verifiers accepted a pretend message, which let the attacker mint 116,500 rsETH on the receiving chain with no precise ether backing it.
These tokens have been then deposited into Aave, a lending protocol the place customers borrow in opposition to collateral they submit, and used to take out loans Aave couldn’t recuperate as soon as the rsETH was revealed as nugatory. Aave’s personal code labored precisely as designed. The collateral it accepted turned out to be pretend as a result of the bridge that delivered it had been compromised.
Whereas LayerZero acknowledged earlier this month that it “made a mistake” by permitting its personal verification system to safe high-value property in a one-of-one configuration, Aave’s postmortem goes additional by utilizing the incident to justify a broader overhaul of DeFi danger administration.
The protocol argues that conventional evaluations centered on volatility, liquidity and sensible contract audits did not seize the dangers created by bridges, verification networks and different infrastructure that sits outdoors software code.
Past sensible contract audits and monetary danger evaluation, Aave mentioned it would now consider bridge infrastructure, oracle dependencies, third-party contracts, custodial preparations, operational safety practices, and secondary-market liquidity earlier than approving or increasing collateral listings.
The protocol can also be constructing new automated defenses designed to react quicker when collateral property present indicators of misery. Among the many proposals outlined within the postmortem is a system that may routinely cut back an asset’s loan-to-value ratio to zero as soon as predefined danger thresholds are breached, eradicating its borrowing energy earlier than losses can unfold by means of the broader market.
Because the exploit, Aave says its danger managers have already executed roughly 295 parameter modifications throughout V3 markets, together with 168 supply-cap reductions and 66 borrow-cap reductions geared toward limiting publicity to particular person property.
As DeFi protocols develop into extra interconnected, Aave’s postmortem suggests the business might have to scrutinize not solely the property it lists, but additionally the infrastructure these property depend upon