Aave Labs has outlined a series of structural risk and security changes following the 18 April Kelp DAO exploit, using the incident as the basis for reforms that span asset listing standards, automated risk management, bridge dependency oversight and operational security.
In a post-mortem published on 31 May, the company confirmed that the exploit originated entirely in Kelp's LayerZero V2 bridge infrastructure, which used a single verifier in a one-of-one configuration that was compromised via an RPC-poisoning attack.
The attacker used stolen rsETH as collateral on Aave to borrow WETH and wstETH, generating bad debt that triggered a liquidity shock and nearly six weeks of emergency market management. Backing for rsETH has since been fully restored, WETH lending parameters have been reset to pre-exploit levels, and the Arbitrum DAO vote authorizing the transfer of the immobilized ETH to Aave LLC has passed and is pending onchain execution.
AAVE was trading at $80.80 as of 08:00 UTC on 1 June, down 2.45% over 24 hours and still approximately 32% below the levels of around $118 at which it was trading before the Kelp hack, according to CoinMarketCap data.
Protocol-wide risk reset
Aave Labs published a new Technical Asset Listing Framework formalizing the baseline requirements for new and continued listings across V3, V4 and Horizon, covering third-party bridge dependencies, oracle infrastructure, centralization risks and secondary market liquidity.
A Bridge Assessment Framework and a broader Risk Framework from risk service provider LlamaRisk are forthcoming. Assets that do not meet the required standards will be offboarded, as will lower-TVL deployments where the commercial case for continued operation no longer holds.
In parallel, Aave said it is building automated systems to manage supply and borrow caps, designed to contain the blast radius of any future collateral failure without requiring manual intervention. A separate automated system will manage LTV-to-zero configurations, triggering automatically when risk thresholds for a given collateral are breached, cutting off borrowing power before holders can convert exposure and pressure liquidity across other markets.
Security growing pains
The changes reflect a broader shift in how DeFi protocols are approaching security following a year in which infrastructure, governance and key-management failures, rather than smart contract bugs, have driven the largest losses.
April was one of the most expensive months on record for DeFi exploits, with more than $600mn drained across Drift Protocol, Kelp DAO and others, and May produced further significant incidents, including the StablR multisig exploit and the Polymarket private key compromise.
Aave's post-mortem explicitly acknowledges that the growing frequency of non-smart contract exploits informed its decision to tighten operational security standards beyond what code audits alone could address, and that the same rigour now applied to asset listings will extend to the operational security practices of the teams maintaining each listed asset.
