Key Takeaways:
Aave fully restored $300 million in liquidity to its lending pools after a cross-chain exploit drained assets via counterfeit rsETH tokens, mobilizing an industrywide rescue fund and securing an emergency federal court order to replace the stolen capital.
Aave fully restored liquidity to its lending pools after a $300 million cross-chain exploit, mobilizing an industrywide rescue fund and securing an emergency federal court order to replace drained assets, developers said June 1.
"The recovery required coordination across Lido, Ether.fi, Ethena and Compound to backstop the compromised positions," an Aave Labs spokesperson said in the post-mortem.
The attacker exploited a third-party bridge operated by Kelp and Layerzero on April 18, fabricating cross-chain messages to mint 116,500 counterfeit rsETH tokens. The hacker deposited the fake rsETH as collateral on Aave's V3 platform on Ethereum and borrowed 82,650 wrapped ether and 821 wrapped staked ether, structurally weakening the protocol's core liquidity pools. Risk managers froze affected markets to prevent a cascading run on the platform's capital.
The episode exposed a critical vulnerability in DeFi's cross-chain infrastructure — a single bridge compromise can drain liquidity from the largest lending protocol. Aave responded with 295 individual parameter updates and an automated circuit breaker that strips collateral value from any asset whose cross-chain infrastructure suffers a breach.
The $300M Backstop and the Legal Hurdle
To plug the hole, Aave Labs helped mobilize an emergency coalition of major industry players, including Lido, Ether.fi, Ethena and Compound. Together, the group structured a $300 million recovery fund that backstopped the compromised rsETH assets, guaranteeing that every dollar of user deposits remained fully collateralized by authentic reserves.
The path to restoring liquidity faced a legal obstacle on May 1, when judgment creditors in an unrelated federal case obtained a restraining notice that froze roughly $71 million in ether that had been clawed back from the attacker and was slated to refill Aave's pools. Aave filed an emergency motion in U.S. federal court on May 4, and four days later a judge granted a modification permitting the immediate transfer of the $71 million back into Aave's custody. Developers routed the funds into the protocol's active lending pools, restoring the liquidity depth required for safe market operations.
295 Parameter Updates and a New Risk Architecture
With capital reserves fully replenished and pre-exploit market parameters restored, Aave overhauled its risk architecture to insulate its liquidity from future third-party systemic failures. Developers executed 295 individual parameter updates, slashing borrowing and supply caps across 168 separate asset pools.
The protocol also implemented an automated LTV0 circuit breaker. Going forward, if any asset's underlying cross-chain infrastructure experiences a security breach, the system will instantly strip that asset of its collateral value, ensuring compromised tokens can no longer be used to borrow or drain authentic liquidity from Aave's markets.
The Kelp DAO attacker, whom Chainalysis linked to North Korea's Lazarus Group, has since laundered most of the roughly $220 million that remained outside the frozen funds, on-chain tracking shows. The frozen $71 million on Arbitrum remains the main identified pool available for possible recovery.
This article is for informational purposes only and does not constitute investment advice.
