Aave is rolling out a four-layer risk framework covering its V3, V4, and Horizon deployments, a direct response to the $292M exploit that rocked the protocol in April. The new standards touch everything from bridge security to bug bounty minimums, representing one of the most comprehensive security overhauls in DeFi lending history.

The proposal, introduced by risk provider LlamaRisk and publicly discussed by Aave founder Stani Kulechov, amounts to a structural rethink of how the protocol evaluates and manages risk.

What happened, and why it forced Aave’s hand

On April 18, 2026, an attacker exploited vulnerabilities in a single-verifier LayerZero bridge to drain 116,500 rsETH from KelpDAO. The damage: roughly $292M gone in what became one of the largest DeFi exploits of the year.

The root cause was almost embarrassingly simple for a protocol of Aave’s scale. The compromised bridge relied on a single verifier. One point of failure, one massive payout for the attacker.

In the aftermath, Aave Risk Stewards scrambled to contain the fallout, executing approximately 295 parameter adjustments across V3 reserves. That’s a staggering number of manual interventions, and it highlighted exactly why the protocol needed automated safeguards rather than relying on humans to move fast enough during a crisis.

Inside the new framework

The Aave Risk Framework proposal, posted around June 9, 2026, introduces several mandatory standards that fundamentally change how cross-chain assets interact with the protocol.

The headline requirement: any bridge route involving Aave exposure must now use a minimum of three independent verifiers. The 1-of-N and 2-of-N configurations that enabled the April exploit are now explicitly banned.

The framework also mandates a live bug bounty program with a minimum payout of $50,000 for critical findings. The bounties scale based on total value locked, meaning as Aave grows, the financial incentive for white-hat hackers to find vulnerabilities before black-hat hackers exploit them grows proportionally.

Then there are the automated risk oracles and Freeze Guardians. These systems are designed to detect adverse conditions and automatically freeze affected markets without waiting for a governance vote or manual intervention. When 295 parameter changes had to be pushed manually after the April exploit, the case for automation essentially made itself.

What this means for investors and the broader DeFi ecosystem

The three-verifier minimum directly addresses the specific vulnerability exploited in the rsETH drain. That’s a concrete, structural fix rather than a vague promise to “do better.”

Stricter collateral onboarding standards and bridge requirements will likely slow the pace at which new cross-chain assets get listed on Aave. Projects that want their tokens used as collateral will face a higher compliance bar. For liquidity seekers, this could mean fewer exotic asset options in the short term.

For developers and protocols looking to integrate with Aave, meeting the three-verifier minimum isn’t trivial for smaller bridge operators. This could consolidate cross-chain activity around larger, better-resourced bridge providers, effectively creating a tiered system where only well-capitalized infrastructure players can serve Aave-connected routes.