News linked to both this project and an event.
Aave has published a post-mortem of the April 18 rsETH incident, stating that the rsETH LayerZero V2 cross-chain bridge of liquid staking protocol Kelp accepted a forged message during a cross-chain transfer from Unichain to Ethereum. This caused the adapter on the Ethereum side to release 116,500 rsETH without a corresponding burn on the Unichain side. Aave stated that the attack occurred on a third-party cross-chain bridge infrastructure. However, the attacker deposited the stolen rsETH into 8 Aave V3 positions, borrowing 82,650 WETH and 821 wstETH, which impacted the Aave market.Aave stated that the attacker's rsETH on Arbitrum has now been burned. The LayerZero OFT adapter has replenished 116,131.72 rsETH in 5 batches, and the asset backing for rsETH has been fully restored. The affected WETH and rsETH markets have returned to normal.
Aave Labs has published an ARFC proposal recommending the introduction of a standardized technical asset listing framework for Aave V3, Aave V4, and Horizon—covering new asset onboarding, ongoing review of already-listed assets, and significant parameter expansions. The framework aims to unify technical assessment and monitoring baselines, addressing ERC-20 compliance, oracles, access control, minting and burning, pausing and blacklisting, upgradability, yield mechanisms, token architecture, cross-chain bridge risks, audit history, and external dependencies. The proposal also suggests integrating the assessment process into governance, including pre-screening, technical review, risk coordination, remediation tracking, and annual refreshes.
: VanEck's tokenized U.S. Treasury fund, VBILL, has officially launched on the DeFi lending protocol Euler. The fund is issued and tokenized by Securitize. Investors can now use tokenized Treasury bonds as collateral for on-chain lending and liquidity operations, while meeting compliance restrictions.This move reflects that DeFi protocols are accelerating their transition towards institutionalization and compliance to attract traditional financial capital into the on-chain market. Data shows that the market size of tokenized U.S. Treasury bonds has surpassed $15 billion, growing approximately 150% over the past year. Traditional asset management giants such as BlackRock, Franklin Templeton, and Janus Henderson have all launched on-chain treasury or money market products.Euler has previously integrated Securitize's DS Protocol to support the inclusion of tokenized securities with investor qualification restrictions and transfer rules into its lending market. DeFi protocols like Aave are also expanding into institutional-grade RWA businesses.Institutions estimate that the market size for asset tokenization could reach $18.9 trillion by 2033. A Securitize executive stated that as traditional financial institutions enter the crypto space, DeFi protocols must find a balance between openness and compliance requirements. (CoinDesk)
According to an official Aave tweet, Push Labs Ltd. (registration number: 1031720) and Push Virtual Assets Ltd. (registration number: 1031721), UK subsidiaries of Aave Labs, have been approved by the UK’s Financial Conduct Authority (FCA) and officially registered as cryptoasset service providers.
MoonPay has announced the launch of a new platform, MoonPay Trade, designed for banks, fintech companies, and enterprise clients. It provides unified access to tokenized assets, decentralized finance (DeFi) protocols, and stablecoin liquidity across over 200 blockchain networks.The platform is powered by Decent.xyz, a cross-chain routing infrastructure company recently acquired by MoonPay for a reported "high eight-figure USD amount." MoonPay stated that this product will serve as the core execution layer for its institutional business, MoonPay Institutional, which is led by former Acting Chairman of the U.S. Commodity Futures Trading Commission (CFTC), Caroline Pham.MoonPay Trade will support subscriptions for tokenized funds, collateral transfers, and integrations with DeFi protocols such as Aave, Morpho, and Maple Finance, enabling institutions to conduct lending and yield generation operations directly on-chain.Industry data shows that the current scale of tokenized real-world assets (RWA) has exceeded $33 billion, growing threefold within a year. Traditional financial institutions, including BlackRock, Franklin Templeton, and JPMorgan, have successively launched tokenized fund products, accelerating the influx of institutional capital into on-chain finance.MoonPay stated that as institutions continue to advance their tokenized asset strategies, its goal is to provide traditional financial institutions with the infrastructure capabilities for compliant access to on-chain markets through a unified interface. (CoinDesk)
OdailyOdaily reports that Standard Chartered expects the market capitalization of tokenized on-chain assets to reach $4 trillion by the end of 2028, split evenly between stablecoins and real-world assets.Geoffrey Kendrick, Global Head of Digital Assets Research at Standard Chartered, stated that established DeFi protocols with strong risk metrics will be the primary beneficiaries. The composability of DeFi is a core advantage, citing BlackRock's BUIDL fund, which has approximately $2.85 billion in assets under management, as an example. BUIDL allows investors to earn yield while using the fund as collateral and maintaining liquidity. The passage of the Clarity Act is seen as a near-term catalyst accelerating the shift from traditional channels to DeFi.Data shows that Aave, the largest DeFi lending protocol, once ranked 38th among US banks in terms of asset size. Daily on-chain stablecoin lending volume stands between $1.5 billion and $2 billion. The lending product offered by Coinbase in partnership with Morpho has reached a loan size of $1.75 billion. (The Block)
in April 2026, two major DeFi attacks on Drift Protocol and Kelp DAO resulted in losses of nearly $600 million, triggering approximately $9 billion in capital outflows from protocols like Aave. TRM Labs investigator Nick Carlsen stated that a hacker group suspected to be linked to North Korea has allegedly used AI to assist in target selection and attack path design. Failsafe CEO Aneirin Flynn said that AI has compressed the time for discovering blockchain vulnerabilities from months to days or even hours. The report noted that Anthropic has not fully opened its AI model Mythos due to cybersecurity risks, claiming the model has the capability to discover large-scale zero-day vulnerabilities. Its research indicates that over half of blockchain attacks in 2025 could theoretically be completed autonomously by AI. (Bloomberg)
Aave announced that its bug bounty program has been updated to better align rewards with the risk profile of each component within the ecosystem and to streamline the review process. The reward cap for critical vulnerability fixes in Aave V4 and Core Aave V3 has now been increased fivefold.
Linda Jeng, Chief Legal and Policy Officer at Aave Labs, stated during Consensus Miami 2026 that Aave's previous risk framework overly focused on financial risks and price volatility. Looking ahead, the protocol will incorporate assessments of cross-chain interoperability, cybersecurity vulnerabilities, and underlying asset architecture.This reform directly stems from the rsETH incident that occurred in April. At that time, an attacker exploited a vulnerability in the KelpDAO cross-chain bridge to mint approximately 116,500 unbacked rsETH (valued at around $293 million), deposited it as collateral into Aave, and borrowed real WETH, leading to significant bad debt risks for the protocol.Jeng revealed that Aave will also release a formal "listing standards handbook" for asset issuers in the future, and will begin evaluating the correlation between DeFi protocols from a systemic risk perspective, rather than analyzing individual pools in isolation.Additionally, a "DeFi United" bailout plan involving Lido Finance, EtherFi, Ethena, and others has been launched to cover collateral shortfalls and prevent further proliferation of bad debt. (CoinDesk)
Odaily News: Sonic Labs co-founder and Flying Tulip founder Andre Cronje posted on platform X, stating that his team is continuing to investigate the L0/rsETH incident. Preliminary reports indicate that approximately $200 million worth of rsETH was stolen, possibly due to a private key leak or configuration error. The related assets were subsequently deposited into Aave as collateral to borrow ETH (due to insufficient rsETH liquidity).Andre Cronje pointed out that the affected positions are technically still overcollateralized. However, if bad debt occurs, Aave's token mechanism and Safety Module will serve as the first line of defense to absorb the risk. Nevertheless, Aave has no mechanism to subsidize user losses, as doing so could trigger a bank run. Currently, Aave holds approximately $7 billion in ETH with an outstanding borrowing amount of around $100 million, so the overall impact of this incident is limited. Furthermore, prioritizing user liquidity, Flying Tulip has withdrawn all its ETH from Aave to its fund management wrapper contract. This action was taken because Aave's available liquidity had fallen below its set minimum threshold.
Regarding the KelpDAO hack, Aave tweeted that the rsETH markets on Aave V3 and Aave V4 have been frozen. Aave stated that its contracts were not exploited and that this incident is related to the exploit of Kelp DAO’s rsETH cross-chain bridge. The freeze will prevent new rsETH deposits and rsETH-backed lending. Aave is currently reviewing lending activity involving rsETH on the platform following the exploit and has indicated that, should the protocol accumulate bad debt as a result, it will explore options to cover the deficit. Earlier reports indicated that Kelp DAO’s cross-chain bridge was hacked, resulting in the theft of approximately $292 million worth of rsETH, exposing Aave V3 to bad debt risk.
According to CoinDesk, Kelp DAO’s LayerZero-based cross-chain bridge was attacked, with the attacker withdrawing 116,500 rsETH—worth approximately $292 million at current prices, or roughly 18% of its circulating supply. This incident has become the largest DeFi attack of 2026 to date. In response, Aave, SparkLend, and Fluid have frozen rsETH-related markets, and Lido Finance has suspended new deposits into its earnETH product. Kelp DAO stated it is jointly investigating the incident with LayerZero, auditing firms, and external security experts.
According to an official announcement, Aave Labs has launched Aave Checkpoint—a governance security system powered by AI—to conduct structured, multi-layered reviews of governance proposals and payloads before they are executed on-chain. The system has been operational since March 2026 and has covered all governance proposals during that period. Aave Checkpoint combines automated analysis with mandatory manual review: it fetches on-chain payload data, proposal source code, and IPFS-hosted text, then cross-references Seatbelt simulation results to examine execution paths, state changes, and potential risks—generating audit reports accordingly. Each AI-generated report must be signed off by at least two independent reviewers before the review is finalized. Currently, the system supports Aave V3, V4, GHO, and Aptos-v3.