Aave Blames Forged LayerZero Message for rsETH Losses and Overhauls Collateral Rules

Overview

• A forged cross-chain message allowed 116,500 unbacked rsETH to be minted and moved to Ethereum, creating fake collateral that was deposited into Aave.
• Investigators say the KelpDAO rsETH bridge used a one-of-one verifier that was manipulated through poisoned RPC data to approve a message with nonce 308 instead of nonce 307.
• The attacker placed 89,567 rsETH as collateral across eight Aave V3 positions and borrowed roughly 82,650 WETH and 821 wstETH while keeping positions just above liquidation.
• Aave’s Protocol Guardian froze rsETH and wrsETH, set loan-to-value to zero on affected markets, and risk teams executed about 295 parameter changes after the exploit.
• Coordinated recovery efforts led by DeFi contributors refilled the LayerZero OFT adapter over multiple tranches and restored backing for about 116,131 rsETH but legal and frozen-asset disputes remain unresolved.