Summary
Earlier today, 18th April 2026, the Aave Guardian was alerted to a potential exploit involving rsETH. Starting at 18:52 UTC, the Guardian initiated immediate freezes on rsETH and wrsETH markets across all deployments where the asset is listed.
All Aave pools remain safe and fully operational. The incident is scoped to the rsETH asset and does not stem from a vulnerability in the Aave protocol itself. The underlying cause is being investigated by Kelp, LayerZero, and other relevant teams, and we are coordinating closely with them as the situation develops.
Aave V3
The Guardian froze rsETH and wrsETH markets across all deployments where the asset is listed. Freezing these markets prevents new deposits and new borrows against rsETH as collateral while the situation is assessed. Existing positions are unaffected by the freeze itself.
Aave V4
The Protocol Security Council applied equivalent protective measures on Aave V4, disabling new supply and borrow activity against rsETH. Protective configuration updates were executed via the Aave Core Hub (tx 1) and on the Kelp E Spoke (tx 2).
Updates
We will post updates in this thread as the situation evolves. Thank you to the Guardian members and service providers who mobilized quickly on this.
2 Likes
I am not here to make a grave dance or point fingers. However, we must confront the reality that we could have done things differently. I truly believed we had learned our lesson from the Curve drama that shook this protocol to its core not long ago. This rsETH incident is even more serious because it strikes at the heart of our technical safety during a time of extreme vulnerability for our risk infrastructure.
How can we prevent this from happening again? We must acknowledge that Aave Guardians, while incredibly diligent, operate on human timelines. In a dark forest where malicious actors move at the speed of the mempool, relying on manual intervention is no longer a viable security strategy for a protocol of this scale. We need to prioritize the development and integration of on-chain agents that can act autonomously to halt withdrawals or freeze caps when specific malicious patterns are detected. If we cannot defend at the speed of code, we are simply waiting for the next exploit. Maybe the implementation of a withdrawal cooldown for everyone? I know it could sound too drastic, but for me having a huge amount of bad debt is way worse.
It appears listing rsETH in its current form was a mistake or at least a failure of conservative parameterization. It is particularly frustrating to see that the recent study titled Financial Dynamics and Interconnected Risk of Liquid Restaking specifically highlighted these type of systemic risks just last month. The caps were not safely placed, and the protocol is now paying the price in reputation.
Having to use the Umbrella module assets is a path born of desperation. This should never be viewed as a standard buffer or a βcost of doing business.β If Aave continues to incur bad debt through aggressive listings, it will eventually break the confidence of our most loyal depositors and future module participants. Once that trust is gone, no amount of collateral can bring it back.
I am calling on our risk providers to do better. I would much rather see Aave host fewer assets and grow at a measured, sovereign pace than provide endless options that compromise our fundamental security. DeFi has been battered since the start of the year and confidence is crashing across the entire ecosystem.
Resilience over convenience.
2 Likes