The Aave protocol has tightened its asset listing rules following the April rsETH incident, which posed a $293 million bad debt risk. The attack stemmed not from a lending platform bug, but from a verification failure in the LayerZero cross-chain bridge used by the Kelp project. An attacker forged a cross-chain message to mint 116,500 unbacked rsETH tokens, depositing them into Aave at a 93% LTV in eMode to withdraw liquid assets.

In response, Aave introduced a new risk assessment framework for V3, V4, and Horizon versions. New listing criteria now evaluate bridge reliability, oracle dependencies, admin rights, and code upgradeability. Emergency mechanisms for automated LTV zeroing are also being implemented. 

Risk managers have already applied 295 parameter adjustments to V3 markets to restrict borrow limits. OpenZeppelin auditors confirmed the exploit resulted from infrastructure configuration errors, not smart contract vulnerabilities. On May 25, Kelp completed the collateral restoration by sending a final tranche of 20,373 rsETH to the LayerZero contract.