On April 18, attackers exploited a vulnerability in a platform integrated with Aave. The exploit enabled them to issue approximately $292 million in unbacked rsETH, a yield-bearing form of ether. These tokens were deposited on Aave as collateral and used to borrow wETH (wrapped ether), which was withdrawn before the breach was identified.
Aave's own platform was not compromised. The exploit relied on Aave accepting these assets as legitimate, in line with its standard process. The aftermath has left Aave with a shortfall that the wider community is now working to cover in an orderly manner.
.png)
Byzantine had funds deposited on Aave at the time of the incident. None were lost.
To extract a profit, the attackers needed to borrow an asset that could not be recalled or blocked once withdrawn. wETH meets this criterion: it has no central administrator, and therefore no party with the authority to freeze it.
Byzantine deposits client funds exclusively in USDC, a digital dollar issued by Circle, a regulated financial institution. Circle retains the ability to freeze USDC held in any wallet identified as compromised or fraudulent. Attackers are aware of this and consistently avoid USDC in incidents of this kind, as the funds become unusable the moment they are flagged.
This is a deliberate element of how Byzantine selects the assets it works with. The pattern used in the April 18 incident (creating fake collateral, then borrowing a different asset against it) cannot complete its final step when the borrowed asset is USDC. The attempt does not pay off.
The incident triggered a wave of panic-driven withdrawals across Aave, which temporarily drained liquidity from pools that had no connection to the exploit, including USDC. In this kind of scenario, depositor funds remain solvent, but withdrawals can be delayed until liquidity is replenished.
Byzantine pre-emptively reduced its exposure to Aave as the situation developed. Client funds were never at risk of loss, and a temporary liquidity disruption was avoided.
Byzantine clients are unaffected and require no action.
