rsETH exploited via Aave bridge flaw; $144M recovered fast

Published: 2026-05-31 17:31:45 |

An rsETH exploit leveraged a bridge vulnerability tied to Aave’s rsETH collateral. On April 18, 2026, a third-party LayerZero-based rsETH bridge (Kelp) with a single-validator setup was manipulated via “RPC poisoning,” enabling 116,500 rsETH to be released on Ethereum without corresponding token burns on the source chain. The attacker distributed 116,500 rsETH across seven addresses, depositing 89,567 rsETH as collateral into eight Aave V3 positions on Ethereum and Arbitrum, then borrowing 82,650 WETH and 821 wstETH while keeping health factors around 1.01–1.03 to avoid liquidation. Aave and ecosystem partners reacted immediately. Aave froze rsETH/wrsETH transfers and set the collateral ratio to zero on Aave V3, disabled the assets on Aave V4, and Kelp froze 43,373 rsETH. Additional actions followed: WETH transactions were suspended across Ethereum, Arbitrum, Base, Mantle, and Linea; Arbitrum Security Council blocked 30,766 ETH linked to the attacker; and rsETH reserves were fully frozen by April 23. Industry collaboration then focused on recovery. The DeFi United consortium (including Lido, Ethena, and Mantle) committed to restoring up to $300M in assets. The Aave LayerZero OFT adapter was replenished in stages, recovering 116,131 rsETH. Normal operations resumed across affected Aave markets.

Neutral

This is a DeFi bridge incident rather than a core Aave smart-contract failure. The rsETH exploit was contained quickly via Guardian-style freezes, partner coordination, and rapid asset recovery (116,131 rsETH reported recovered). Historically, when bridge risks are shut down fast and funds are restored, markets often see limited sustained damage, with traders shifting from panic to “watch-and-confirm” positioning. In the short term, however, any headline about rsETH/Aave bridge flaws can still pressure sentiment for DeFi blue chips and collateralized lending tokens due to renewed counterparty and bridging risk pricing. Traders may reduce exposure to similar bridge-dependent collateral until audit trails and monitoring confirm no further adapter/validator weaknesses. In the longer term, the event can be viewed as a catalyst for tighter bridge validation assumptions, clearer collateral dependency disclosures, and more conservative listing policies. Overall, because the exploit was rapidly mitigated and recovery was substantial, the impact is more likely sentiment-neutral (risk premium may tick up temporarily) rather than a lasting bearish trend.