Aave Recovers from $292M rsETH Exploit with $300M Coalition Support

Aave, a leading decentralized finance (DeFi) platform, recently suffered a significant exploit that resulted in the loss of $292 million worth of rsETH tokens. The incident occurred when an attacker successfully forged a cross-chain message, allowing them to extract large amounts of rsETH from Aave's protocol.

The attack was executed through Kelp's rsETH LayerZero V2 bridge, which accepted an inbound nonce that was not properly verified. As a result, 116,500 rsETH tokens were extracted from the Ethereum-side adapter, and seven recipient addresses received the stolen funds within minutes.

However, Aave's Protocol Guardian quickly responded to the incident by freezing rsETH and wrsETH across V3 and setting LTV to zero. The Kelp Spoke on V4 was also frozen in full, and WETH borrowing on the Spoke was switched off. This swift action contained the damage and prevented further losses.

A coalition of DeFi protocols, including Lido, EtherFi, Ethena, Mantle, Golem, Compound, LayerZero, Keyring, KelpDAO, Consensys, and Joseph Lubin's company, contributed over $300 million to restore full backing to Aave's protocol. The recovery efforts were successful, and markets are now operating normally.

A new Technical Asset Listing Framework has been proposed by Aave Labs to formalize baseline requirements for new listings and material parameter expansion across V3, V4, and Horizon. This framework aims to prevent similar incidents in the future by ensuring that all assets meet strict security standards before being listed on the platform.