Aave Reports on Bridge Exploit Incident and Comprehensive Recovery Efforts

Aave has published a comprehensive report on the April 18, 2026 bridge exploit that impacted several of its V3 markets. The incident involved the unauthorized release of 116,500 rsETH through Kelp's LayerZero V2 bridge.

The forged cross-chain message, which was accepted by the bridge, released the assets without a matching burn on Unichain. This allowed an attacker to supply the assets into Aave positions and borrow WETH and wstETH against the collateral.

Aave's Protocol Guardian and Risk Steward activated emergency protections, including freezing rsETH and wrsETH reserves, reducing loan-to-value ratios to zero, and later freezing WETH across several deployments. The Arbitrum Security Council also froze more than 30,765 ETH connected to the attacker on April 21.

In addition to containment efforts, Aave Labs coordinated DeFi United, a recovery initiative involving multiple partners. Recovery commitments exceeded $160 million by April 25 and later reached roughly $300 million. The technical recovery included liquidating attacker-linked positions, burning recovered rsETH, and refilling the LayerZero adapter through five separate tranches.