Aave Overhauls Listing Standards After $230 Million rsETH Exploit

Aave is overhauling its asset-listing standards after a $230 million exploit involving restaked ETH (rsETH) exposed critical vulnerabilities in cross-chain bridge infrastructure.

The attack, detailed in an official postmortem, did not exploit a flaw in Aave's smart contracts. Instead, it originated from a LayerZero bridge verification failure: a single verifier approved a forged cross-chain message, allowing the attacker to mint 116,500 unbacked rsETH on the receiving chain.

Those tokens were then deposited into Aave as collateral and used to borrow funds the protocol could not recover. Aave's code functioned as designed, but the collateral itself was fraudulent because the bridge delivering it had been compromised.

Moving forward, Aave says collateral assessments will now evaluate bridge infrastructure, oracle dependencies, custodians, and operational security in addition to traditional financial and smart-contract risks. The protocol is also building automated defenses that would reduce an asset's loan-to-value ratio to zero once predefined risk thresholds are breached.

Aave's risk managers have already executed roughly 295 parameter changes across V3 markets, including 168 supply-cap reductions and 66 borrow-cap reductions. The incident highlights a growing need for DeFi protocols to scrutinize not only listed assets but also the infrastructure they depend on.