Aave's postmortem says the $230M rsETH exploit wasn't a core Aave bug, but a failure in LayerZero-based bridge verification used by KelpDAO. Attackers were able to mint unbacked rsETH via a forged cross-chain message, then deposit it into Aave and borrow against it. In response, Aave is tightening V3 risk controls and listing standards, including deeper scrutiny of bridges, oracles, and collateral dependencies, plus stricter supply/borrow caps and faster automated risk controls. Net effect: it shifts attention from "smart contract risk" to "cross-chain bridge risk" as the main vulnerability layer in DeFi.