Aave Confronts Security Breach with Swift Defense

A critical security breach on April 18, 2026, within the Ethereum landscape, unveiled a severe flaw in the infrastructure of a third-party bridge linked to the decentralized finance (DeFi) protocol Aave. The breach exploited the vulnerability in the single-validator setup of the rsETH LayerZero bridge, operated on the cross-chain Kelp protocol.

Why was the bridge vulnerability so critical?

Kelp’s bridge, integral in linking Unichain to Ethereum, relied on a sole validator to approve all cross-chain transactions. This single-validator approach was susceptible to manipulation using an attack known as RPC poisoning. As a result, the validator was deceived into approving 116,500 rsETH into Ethereum without burning any tokens on the source chain. The fraudulent transaction moved through the bridge adapter and was validated on Ethereum, causing a release of a significant volume of rsETH.

How did the attacker execute the breach?

Once the exploit was realized, the intruder scattered the illicitly obtained rsETH across seven separate accounts, depositing a substantial amount into several Aave V3 positions across Ethereum and Arbitrum. They borrowed extensively using this collateral, strategically maintaining health factors close to the liquidation threshold to safeguard their holdings.

Incorporating rsETH as collateral on Aave introduced critical dependencies on the validation processes at the bridge level, exposing vulnerabilities beyond Aave’s direct control.

“Developers following the issue closely commented that adding rsETH as collateral brought the inherent risks of the underlying bridge infrastructure into the protocol.”

What steps did Aave and its partners take?

Aave acted swiftly through its Guardian systems, promptly halting transfers involving rsETH and wrsETH. The immediate freeze effectively neutralized the collateral, suspending any means of depositing or borrowing these assets within its ecosystem. Meanwhile, the Kelp team managed to secure 43,373 rsETH on their end.

Efforts were further bolstered as the Arbitrum Security Council halted 30,766 ETH transactions tied to the perpetrator, ensuring none of the illicit gains could be exploited.

– The LayerZero integration played a pivotal role in this vulnerability.
– Collaborative measures between Aave and industry partners facilitated rapid asset freezing.
– Recovery endeavors were reinforced across networks like Ethereum and Arbitrum to thwart the attacker’s actions.
– Aave’s proactive strategy safeguarded unaffected users and assets.

The aftermath saw DeFi United, comprised of liquidity giants, initiate recovery efforts totaling $300 million. Typically a 116,131 rsETH recovery followed structured replenishment scenarios across Aave markets, restoring normalcy to affected operations.