116,500 "Air ETH" Tokens, $236M in Real Money — This Wasn't a Theft. It Was Counterfeiting.
On April 18, a DeFi attack changed how a lot of people think about the word "exploit."
No passwords were cracked. No assets were forcibly moved. What the attacker did was simpler: mint 116,500 rsETH out of thin air, deposit them into Aave as collateral, and walk away with ~$236M in real WETH.
Every step followed the rules. That's the point.
Five steps. That's all it took.
The vulnerability was in KelpDAO's cross-chain bridge (built on LayerZero) — not Aave itself:
- Exploit the bridge to mint unbacked rsETH
- Deposit rsETH into Aave V3 as collateral
- Borrow real WETH against it
- Exit
Aave did exactly what it was supposed to do. The problem was that the collateral it trusted never should have existed.
Why this is worse than a regular hack
Most attacks have a ceiling — you can only steal what's already in the pool.
This one didn't. The attacker created the asset first, then cashed it out. The protocol itself became the printing press.
The deeper issue: the risk didn't come from Aave. It came from the trust layer. Aave trusted rsETH. rsETH depended on the bridge. Bridge breaks — the entire chain of trust breaks with it. This kind of propagation risk is everywhere in DeFi.
The fallout confirmed it. Aave suspended affected markets. WETH liquidity locked across chains. TVL dropped over $5B in hours. Large holders including Justin Sun pulled out.
One bridge vulnerability. System-wide confidence collapse.
The takeaway
Cross-chain bridges remain the highest-risk surface in DeFi. The protocol you're using might be fine — but whatever it trusts is also your exposure.
High-yield assets usually mean more external dependencies. That's not a coincidence. It's the trade-off.