TLDR:A one-of-one DVN configuration on the Kelp rsETH bridge created a single point of failure that attackers exploited.The attacker borrowed 82,650 WETH and 821 wstETH using 89,567 stolen rsETH across eight Aave V3 positions.DeFi United coordinated over $300 million in recovery commitments from Lido, Ethena, Mantle, and other contributors.Aave’s LayerZero OFT adapter was fully refilled across five tranches, restoring 116,131 rsETH backing in full.The April 18, 2026 rsETH incident exposed a critical vulnerability in third-party bridge infrastructure connected to Aave’s markets. A forged cross-chain message on the Kelp rsETH LayerZero V2 bridge released 116,500 rsETH on Ethereum without any matching burn on Unichain. The attacker then used those tokens as collateral across Aave V3 positions. A coordinated recovery effort later restored full backing and returned all affected markets to normal.The Bridge Vulnerability That Triggered the ExploitThe Kelp rsETH LayerZero V2 bridge from Unichain to Ethereum relied on a single verifier to sign all inbound cross-chain messages. That configuration, known as a one-of-one Decentralized Verifier Network, created a single point of failure. When that verifier was targeted by an RPC-poisoning attack, the attacker manipulated its view of the source-chain state entirely.At 17:35 UTC on April 18, the Ethereum endpoint accepted inbound nonce 308 and released 116,500 rsETH from the RSETH_OFTAdapter. At that same moment, Unichain’s source endpoint still showed only outbound nonce 307. No burn had occurred on the source chain, yet the Ethereum side processed the message as legitimate.The root cause was not a flaw in Aave’s smart contracts. Instead, it was the bridge’s reliance on a single verifier and that verifier’s susceptibility to external manipulation. That dependency sat entirely outside the Aave protocol.How the Attacker Moved Through Aave’s MarketsOnce the 116,500 rsETH was released, the attacker moved fast. The stolen tokens were dispersed across seven recipient addresses within minutes of the exploit. From there, 89,567 rsETH was deployed across eight Aave V3 positions on Ethereum Core and Arbitrum.Against that collateral, the attacker borrowed 82,650 WETH and 821 wstETH. Health factors across the eight positions were kept between 1.01 and 1.03, just above liquidation thresholds. That positioning allowed the attacker to hold the borrowed assets while avoiding automatic liquidation.Aave’s exposure came from rsETH being listed as collateral on its markets under standard overcollateralization terms. That listing created a direct dependency on the bridge’s verification path, infrastructure that Aave does not control.The Immediate Containment Steps That FollowedThe Aave Protocol Guardian responded within hours. By 19:00 UTC on April 18, rsETH and wrsETH were frozen across Aave V3, and LTV was set to zero. On Aave V4, the Kelp Spoke was fully frozen across both WETH and rsETH reserves, and WETH borrowing on the Spoke was deactivated immediately.Between 18:00 and 19:00 UTC, Kelp paused 43,373 rsETH connected to the exploit. That action prevented further movement of those specific tokens and limited additional damage during the early response window.Over the following two days, additional protections were layered across the affected markets. WETH was frozen across Ethereum Core, Ethereum Prime, Arbitrum, Base, Mantle, and Linea on April 20. The Arbitrum Security Council then froze 30,766 ETH linked to the attacker on April 21. By April 23, rsETH reserves were fully paused across multiple deployments, preserving the ability to liquidate attacker positions and recover assets for affected users.The post Aave’s April 2026 rsETH Incident Post Mortem: How a Forged Bridge Message Shook DeFi appeared first on Blockonomi.