DeFi Landscape Rattled by Fake Transaction Slip-Up in Aave's Ethereum Liquid Staking Platform Last Month

A devastating exploit on April 18, 2026, unearthed a glaring weakness in the bridge infrastructure linking Aave's markets, specifically the Kelp rsETH LayerZero V2 bridge connecting Unichain to Ethereum. By forging a cross-chain message, an attacker was able to release a substantial 116,500 rsETH into the Ethereum ecosystem without a corresponding burn on Unichain, subsequently utilizing these tokens as collateral to take out loans across multiple Aave V3 positions. Fortunately, a swift and coordinated recovery effort ensued, ultimately restoring the markets to their normal state and ensuring full backing.

The root of the issue lay in the bridge's architecture, which relied heavily on a single verifier to authenticate all incoming cross-chain messages, essentially creating a single point of failure. This configuration, known as a one-of-one Decentralized Verifier Network, proved vulnerable to external manipulation when the verifier was targeted by an RPC-poisoning attack, allowing the attacker to distort its view of the source-chain state. At 17:35 UTC on April 18, the Ethereum endpoint accepted an inbound message with nonce 308, releasing the aforementioned 116,500 rsETH, while the Unichain endpoint continued to display only outbound nonce 307, indicating that no burn had occurred on the source chain.

The exploit's success was not due to a flaw in Aave's smart contract code but rather the bridge's dependency on a single verifier and its susceptibility to external manipulation, a vulnerability that existed outside of the Aave protocol. Following the release of the rsETH tokens, the attacker rapidly dispersed them across seven recipient addresses, with 89,567 rsETH being deployed as collateral across eight Aave V3 positions on Ethereum Core and Arbitrum, securing loans totaling 82,650 WETH and 821 wstETH. The attacker carefully maintained health factors between 1.01 and 1.03, narrowly avoiding automatic liquidation.

Aave's exposure to the exploit stemmed from its listing of rsETH as collateral under standard overcollateralization terms, creating a direct dependency on the bridge's verification infrastructure, which is beyond Aave's control. In response, the Aave Protocol Guardian sprang into action, freezing rsETH and wrsETH across Aave V3 and setting the loan-to-value (LTV) ratio to zero by 19:00 UTC on April 18. Additionally, the Kelp Spoke on Aave V4 was fully frozen, and WETH borrowing was immediately deactivated.

As the response efforts progressed, Kelp successfully paused 43,373 rsETH connected to the exploit between 18:00 and 19:00 UTC, limiting further damage. Over the next two days, additional protective measures were implemented, including the freezing of WETH across multiple deployments, such as Ethereum Core, Ethereum Prime, Arbitrum, Base, Mantle, and Linea on April 20. The Arbitrum Security Council further froze 30,766 ETH linked to the attacker on April 21. By April 23, rsETH reserves had been fully paused across multiple deployments, enabling the potential liquidation of attacker positions and recovery of assets for affected users, thereby mitigating the exploit's impact.