Aave introduces new risk framework after $292M exploit

Aave is rolling out a four-layer risk framework covering its V3, V4, and Horizon deployments, a direct response to the $292M exploit that rocked the protocol in April. The new standards touch everything from bridge security to bug bounty minimums, representing one of the most comprehensive security overhauls in DeFi lending history.

The proposal, introduced by risk provider LlamaRisk and publicly discussed by Aave founder Stani Kulechov, amounts to a structural rethink of how the protocol evaluates and manages risk.

What happened, and why it forced Aave’s hand

On April 18, 2026, an attacker exploited vulnerabilities in a single-verifier LayerZero bridge to drain 116,500 rsETH from KelpDAO. The damage: roughly $292M gone in what became one of the largest DeFi exploits of the year.

The root cause was almost embarrassingly simple for a protocol of Aave’s scale. The compromised bridge relied on a single verifier. One point of failure, one massive payout for the attacker.