Aave today announced it has “returned to normal”—about a month after that $230 million incident.

But when you hear how the attack happened, you’ll definitely get chills down your spine.
On April 18, someone forged a piece of fake news, tricked a cross-chain bridge, and “printed” 116,500 rsETH (an ETH staking receipt) out of thin air. Then they used these counterfeit tokens as collateral on Aave, borrowed real ETH, and siphoned off $230 million.
Aave’s own code was fine. It only accepted an external token as collateral—yet it had no way to control that token’s “money-printing machine.”
It’s like a bank wasn’t robbed—someone shows up with counterfeit bills to get a loan, and the teller really did approve it.
Even more intense: the pool was drained in an instant. Ordinary users couldn’t withdraw their own money, so they could only use their own stablecoins as new collateral and borrow again—these “self-borrowing” operations added up to more than $300 million in just 24 hours.
Now Aave says it has “fixed it.” But the attack pattern hasn’t disappeared—whatever the next “fake coin” gets printed might already be on the way.
The further you play with DeFi, the more it feels like building with LEGO—each block looks great on its own, but once you tip it over, it becomes impossible to stop.