Aave has just published its post-mortem on the April exploit that saw $292 million in exposure tied to rsETH. The core issue was a forged cross-chain message, which triggered the creation of 116,500 unbacked rsETH tokens on Ethereum. There was no matching burn on the other chain, so these tokens entered the system with nothing behind them. Of those, nearly 90,000 were used as collateral in Aave’s own markets, spreading the impact directly to depositors and amplifying protocol-wide risk.
Aave’s account now spells out what allowed this to happen: the bridging setup used a one-of-one verifier, meaning a single attestation could effectively mint new collateral without real backing. As soon as the message was accepted, collateral limits became theoretical and the protocol had to freeze affected assets and unwind exposures.
On recovery, Aave says governance support formed part of a broader “DeFi United” effort, with roughly $300 million assembled to help restore rsETH backing. According to Aave, this incident directly shaped new controls: a shift to stricter collateral frameworks, asset-tiered loan-to-value ratios, and hard limits on the stacking of wrapped or derivative tokens as collateral. The protocol reinstated normal rates only after on-chain redemptions showed stability, marking a shift from crisis management to longer-term risk posture.