On June 1, 2026 at 5:04 a.m. UTC, Aave published an official postmortem tracing April's largest DeFi exploit of 2026 to a LayerZero bridge verification failure — and announced it is overhauling how the entire industry should evaluate collateral risk.

The attack originated with KelpDAO's restaked ether (rsETH) bridge, not a flaw in Aave's smart contracts. A single LayerZero verifier approved a forged cross-chain message, releasing 116,500 rsETH on the receiving chain with no actual ether backing it. Those unbacked tokens were deposited into Aave and used to take out loans the protocol could not recover once the rsETH was revealed as worthless. Aave's own code worked exactly as designed.

The postmortem argues that traditional DeFi risk reviews — focused on volatility, liquidity, and smart-contract audits — failed to capture the threats created by bridges, verification networks, and other infrastructure sitting outside the application layer. Going forward, Aave says collateral assessments will also weigh bridge infrastructure, oracle dependencies, third-party contracts, custodial arrangements, operational security practices, and secondary-market liquidity before any asset is approved or expanded as collateral.

Among the concrete proposals is an automated defense: a system that would reduce an asset's loan-to-value ratio to zero once predefined risk thresholds are breached, cutting its borrowing power before losses can spread. The protocol is also reviewing every asset currently listed on V3.

The response is already underway. Since the exploit, Aave says risk managers have executed roughly 295 parameter changes across V3 markets — including 168 supply-cap reductions and 66 borrow-cap reductions — to limit exposure to individual assets.

LayerZero acknowledged on May 9 that it "made a mistake" by allowing its own verification system to secure high-value assets in a one-of-one configuration. Aave's postmortem goes further, using the incident to reframe the industry's risk posture: as DeFi protocols grow more interconnected, scrutiny must extend not only to the assets listed, but to all infrastructure those assets depend on.

Aave is DeFi's largest lending protocol, deployed across Ethereum — which held $41.8 billion in total value locked on June 1, 2026 — and multiple other chains. The $230 million rsETH exploit was the biggest DeFi attack of 2026.