How Aave Recovered From Its $293M Bridge Exploit in 40 Days
On April 18, 2026, a single forged message inside a cross-chain bridge triggered what became the biggest decentralized finance exploit of the year. The target was not Aave's code. It was the bridge Aave trusted. Kelp's LayerZero V2 bridge from Unichain to Ethereum was running a one-of-one verification setup, meaning one signer confirmed every cross-chain transaction. That signer got compromised through an RPC-poisoning attack. The result was 116,500 rsETH released onto Ethereum mainnet with no corresponding burn on the source chain. An attacker used those tokens as collateral on Aave and walked out with roughly $230 million in real assets. What happened after is less covered but more important. Aave did not collapse. Within 90 minutes, the Protocol Guardian froze the affected markets. Within 48 hours, a coalition of DeFi protocols was already forming to restore backing for affected users. That coalition, called DeFi United, eventually pulled together over $300 million in reco...