Aave Reboots rsETH After $292M Hack, Raises Bug Bounty to $5M in 2026
Five weeks after a $292M bridge exploit froze rsETH markets, Aave has unpaused five networks and proposed raising its max bug bounty from $1M to $5M, highlighting both composability risk and the growing role of security incentives in DeFi.
Five weeks after DeFi’s most destructive exploit of 2026 froze one of the industry’s largest lending protocols, Aave has officially unpaused rsETH markets across five blockchain networks. On May 15, rsETH withdrawals went live for the first time since the $292 million KelpDAO bridge hack, restoring access for thousands of users locked out since April 18. Hours later, Aave Labs published a governance proposal to raise its maximum bug bounty from $1 million to $5 million — which would be the largest in DeFi history if passed.
The Exploit That Shook Composable DeFi
The KelpDAO incident began on April 18 with a forged cross-chain message. An attacker exploited a vulnerability in KelpDAO’s LayerZero-based bridge, fabricating a message that minted approximately 116,500 rsETH — a liquid restaking token backed by Ethereum staking rewards — with no actual collateral behind it.
The damage cascaded immediately. rsETH had been accepted as collateral in Aave’s lending markets, meaning the fraudulent tokens could be used to borrow real assets against phantom value. Within hours, approximately $190 million in bad debt had materialized on Aave, as the protocol paused rsETH markets across all five supported networks to stop the bleeding.
Key figures from the exploit:
- $292 million total value drained through a forged bridge message
- 116,500 rsETH minted fraudulently via LayerZero’s cross-chain relay
- ~$190 million in bad debt created on Aave’s lending pools
- $6 billion+ in liquidity exited Aave as users pulled collateral
- Attack widely attributed by analysts to North Korea’s Lazarus Group
The incident was a stress test for composability risk — the hidden danger in DeFi where a vulnerability in one protocol cascades instantly across every money market that has accepted the affected token as collateral.
How the Recovery Coalition Came Together
Aave and KelpDAO faced an unprecedented coordination problem: how do you make $190 million in bad debt whole without a central authority, a regulator, or an insurance pool?
The answer was a voluntary recovery coalition assembled over the weeks that followed. Contributors including Lido, Ether.fi, LayerZero, Mantle, and Aave founder Stani Kulechov collectively committed over $300 million in ETH to restore full rsETH backing. The voluntary nature of these commitments — from competitors, infrastructure partners, and individual stakeholders — underscored both the interconnectedness of DeFi’s blue-chip protocols and the reputational stakes involved in allowing a major bad debt event to go unresolved.
The recovery plan, announced on May 12, laid out a phased restart:
- Phase 1 (complete): rsETH withdrawals re-enabled, Aave markets unpaused, EigenLayer claims restored.
- Phase 2 (in progress): Cross-chain bridging restored as Kelp completes its infrastructure migration.
- Phase 3 (pending): Deposits re-enabled after a stabilization window concludes.
This coalition model — where protocol founders, liquid staking providers, and infrastructure partners co-fund a recovery — is likely to influence how the DeFi industry structures incident response going forward.
The May 15 Restart: What Actually Changed
On May 15 at approximately 4:30 PM CET, KelpDAO updated rsETH exchange rates to reflect four weeks of accrued staking rewards — a critical step required before withdrawals could safely proceed without shortchanging long-term holders. Aave then confirmed that rsETH markets had been unpaused on five networks:
- Ethereum Core
- Arbitrum