According to Aave, forged messages on Kelp’s rsETH bridge released 116,500 rsETH, and its postmortem says a LayerZero verification failure prompted tighter asset-listing standards and ongoing recovery efforts.
Aave said forged cross-chain messages targeting Kelp’s rsETH bridge on LayerZero V2 released 116,500 rsETH, which the attacker deposited into Aave V3 to borrow about 82,650 WETH and 821 wstETH. In its official postmortem, Aave said the incident was tied to a LayerZero bridge verification failure rather than a conventional smart contract bug, and outlined a broader overhaul of its asset-listing standards to better assess risks from bridges and other interconnected infrastructure. Aave said affected markets remain operational while recovery efforts and legal proceedings continue.