Aave Labs wants to 5x bounty payouts after April's $292M Kelp wreckage.

Aave Labs has put a sweeping overhaul of the @aave DAO's bug bounty program to a governance vote, proposing to dramatically raise payout ceilings for $AAVE protocol vulnerabilities in the wake of April's Kelp DAO disaster.

What the Proposal Would Change

Aave Labs has put forward a comprehensive proposal to restructure the Aave DAO's bug bounty program, introducing a multi-platform approach and significantly increasing reward payouts for critical vulnerabilities. Under the plan, the top reward for critical vulnerabilities in Core Aave V3 would jump from $1 million to $5 million, while Aave V4's maximum reward would rise from $500,000 to $2.5 million.

The restructuring also splits security oversight across three specialist platforms. Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure would use Immunefi; Aave V4 and the App Stack would use Sherlock; and Aave V3 on Aptos would use Cantina. This segmentation is designed to leverage each platform's expertise in different areas of the $AAVE ecosystem, potentially improving response times and coverage quality.

The Kelp Fallout That Prompted the Rethink

The timing is no coincidence. At 17:35 UTC on April 18, an attacker sent a crafted message to Kelp DAO's LayerZero-powered cross-chain bridge. The bridge accepted it as legitimate and released 116,500 rsETH, worth about $293 million and roughly 18% of the token's entire circulating supply. No ETH ever changed hands on the other side, meaning rsETH was effectively spun out of thin air.

The attacker deposited the stolen rsETH into Aave V3 as collateral and borrowed substantial amounts of wrapped ETH against it, saddling the protocol with an estimated $196 million in bad debt. Amid contagion fears, Aave's total value locked collapsed from $26.4 billion on April 18 to nearly $20 billion by Sunday morning, a decline of roughly $6.6 billion, per DefiLlama.

Critically, @aave's own code was not to blame. Founder Stani Kulechov confirmed Aave's smart contracts were not compromised and said both versions "do not have further exposure to rsETH." Aave Labs said it moved quickly to contain the risk, freezing rsETH markets across its deployments, setting loan-to-value ratios to zero, and halting new borrowing against the asset.

The episode nonetheless exposed a structural gap: a flaw in an integrated third-party protocol was enough to inflict massive collateral damage on DeFi's largest lender. By increasing rewards, Aave Labs aims to attract top-tier security researchers who might otherwise focus on other high-value targets. Higher rewards are expected to incentivize more researchers to audit $AAVE's code, increasing the likelihood that critical vulnerabilities are discovered and reported before they can be exploited.

Sources:
Aave Governance Forum: Bug Bounty Future Improvements
Unchained Crypto: Aave's $6.6B TVL Drop and the Kelp DAO Exploit
CoinDesk: Aave Could Face Up to $230M in Losses After Kelp DAO Exploit