Aave has reinstated Wrapped Ether borrowing limits across multiple deployments after the Kelp DAO rsETH bridge exploit created substantial bad debt and froze liquidity across affected markets. The restoration marks a key step toward market normalization, but the recovery has also exposed legal, governance and collateral-risk challenges that will reshape Aave’s asset-listing standards.

The April 18, 2026 exploit did not originate in Aave’s core lending contracts. Attackers compromised a LayerZero-based bridge operated by Kelp DAO and minted roughly 116,500 unbacked rsETH, valued at more than $290 million at creation, before using the tokens as collateral on Aave V3 and V4.

In accordance with the rsETH technical recovery plan, WETH LTVs on Aave V3 Ethereum Core, Ethereum Prime, Arbitrum, Base, Mantle, and Linea have been restored to their pre-incident values.

WETH now operates as normal across all affected V3 deployments.

— Aave (@aave) May 17, 2026

Unbacked rsETH Triggered WETH Liquidity Stress

Aave’s prior risk parameters treated rsETH as capital-efficient collateral, with permissive supply and borrow caps. That design allowed attackers to extract large volumes of legitimate WETH against collateral that had no real backing, creating an estimated $177 million to $230 million in bad debt.

The protocol responded by freezing rsETH markets and coordinating liquidations across Ethereum and Arbitrum. Recovery teams and third parties reclaimed about 106,993 of 112,103 unbacked rsETH tokens, materially reducing the outstanding deficit.

Those actions enabled Aave to restore WETH loan-to-value limits and borrowing caps across Ethereum Core, Arbitrum, Base, Mantle and Linea. The move reopens core WETH borrowing functionality and reduces immediate liquidity pressure for traders, treasuries and lending-market participants.

Aave also activated its internal Umbrella backstop to absorb part of the residual shortfall. That mechanism introduces potential economic consequences for aWETH stakers, including partial slashing as part of the capital-restoration process.

Collateral Standards Face a Security Reset

The recovery remains legally complicated. Roughly $71 million in frozen ETH is still tied up in a dispute involving third parties, leaving capital allocation and recoverability questions unresolved even as borrowing functionality returns.

Aave’s governance response now extends beyond emergency market controls. The protocol is moving toward stricter collateral and asset-listing standards that account for cybersecurity posture, smart-contract architecture and bridge design, not only liquidity and financial metrics.

Security incentives are also changing. Proposed bug bounty increases and the rollout of Aave Checkpoint, an AI-assisted governance security layer, aim to strengthen proposal review, execution controls and pre-deployment risk detection.

Kelp DAO has also adjusted its own roadmap, including plans to discontinue rsETH bridging on several networks after June 15, 2026. Its migration toward different oracle and bridge infrastructure reflects a broader reset in liquid staking and cross-chain risk assumptions.

The restored WETH parameters are constructive but not risk-free. The incident makes clear that bridge risk can become lending-market risk when wrapped or liquid staking assets are accepted as collateral.

Mmajor lending venues are likely to require tighter security testing, clearer recovery plans and more conservative collateral onboarding. Governance and compliance teams should update stress testing, disclosure policies and contingency reserves around cross-chain collateral exposure.