AAVE was not hacked. Toxic collateral hit the protocol.
🧩 The new incident report makes the setup much clearer.
This was not an Aave smart contract failure. The break happened on Kelp’s LayerZero rsETH route, where 116,500 rsETH was released on Ethereum without a matching burn on the source side. Then that collateral was pushed into Aave. Of the stolen amount, 89,567 rsETH ended up deposited there, with attacker-backed loans sitting around 1.01–1.03 health factor. (Aave)
That distinction matters
A lot of people trade the headline like “Aave got exploited.”
The report says the opposite: Aave’s contracts, liquidation flow, and core logic kept working as designed. The protocol was dealing with a bad asset that came in from outside. (Aave)
What Aave did
Aave froze rsETH and wrsETH across all V3 markets, set LTV to zero for new actions, then froze WETH in key markets and adjusted rate models to stop stress from spreading deeper into the system. That is not panic. That is containment. (Aave)
⚠️ What the market is pricing now
The real question is no longer “was Aave hacked?”
The real question is who eats the hole. The report models about $123.7M of bad debt if losses are socialized across all rsETH, and about $230.1M if the damage stays isolated to L2 rsETH. (Aave)
Takeaway
This is classic DeFi reality.
A protocol can stay technically intact and still take damage through collateral design, bridge assumptions, and external accounting decisions.
That is why I never read these events as just a price dip.
First I check where the poison actually entered the stack.
