Headline: Aave rewrites listing rules after $230M rsETH exploit exposes bridge vulnerabilities Aave has launched a sweeping review of every V3 asset and is overhauling its listing standards after April’s $230 million rsETH exploit — the largest DeFi attack of 2026 — showed that the weakest link can be the cross-chain infrastructure around a token, not the lending protocol’s own code. What happened - The exploit originated with KelpDAO’s rsETH — a “restaked” ether token that represents a claim on ETH users have staked and re-used as collateral to earn extra yield. - To move rsETH across chains, KelpDAO relied on LayerZero, a cross-chain messaging/bridge system that uses multiple verifiers to validate messages. In this incident, a single verifier approved a forged message. - That approval allowed the attacker to mint 116,500 rsETH with no underlying ETH backing. The attacker then deposited those tokens into Aave and drew loans the protocol could not recover once the rsETH was revealed as worthless. - Aave’s postmortem stresses that Aave’s smart contracts functioned as intended; the root cause was a bridge verification failure. LayerZero has acknowledged it “made a mistake” by relying on a one-of-one verification configuration for high-value assets. Aave’s response and new rules - Aave says it will rework collateral listing standards to look beyond classical checks (volatility, liquidity, smart-contract audits) and explicitly evaluate the external infrastructure that tokens depend on. - New assessment factors will include bridge security and verification models, oracle dependencies, third-party contracts and custodians, operational security, and secondary-market liquidity. - Aave is also building automated defenses to react faster when an asset shows distress. One proposed measure would automatically reduce an asset’s loan-to-value to zero if predefined risk thresholds are breached, cutting off borrowing power before losses cascade. - Operationally, Aave’s risk team has already made roughly 295 parameter changes across V3 markets since the exploit — including 168 supply-cap reductions and 66 borrow-cap cuts — to limit exposure to individual assets. Why this matters - The incident underscores a broader lesson for DeFi: as protocols become more interconnected, off-chain and cross-chain infrastructure (bridges, relayers, verification networks) must be treated as first-class risk vectors alongside smart contracts and market risk. - Aave’s shift toward infrastructure-aware listings and faster automated defenses could set a new industry standard for how lending platforms vet and manage collateral that depends on third-party systems. Bottom line: The rsETH exploit didn’t break Aave’s code — it broke a bridge. Aave’s postmortem argues the remedy is not just patches, but a fundamental rethink of how DeFi measures and responds to risk across the entire stack.
Aave Overhauls Listing Rules After $230M rsETH Exploit
ChainGPTShare
Summary
Aave has updated its listing rules after a $230M DeFi exploit involving rsETH in April 2026. The attack used a flawed bridge verification to mint 116,500 rsETH and trigger unsecured loans. Aave confirmed its smart contracts were not at fault, pointing to the bridge failure. In response, the protocol is revising collateral standards, adding bridge and oracle checks, and deploying automated defenses. The move comes as exchange listing news highlights tighter DeFi security measures.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.