Decentralized finance (DeFi) is recovering from a series of sophisticated exploits that have sparked intense debate over whether public blockchain protocols can actually manage systemic risk.
The crisis peaked in April 2026, with the $292 million mining of KelpDAO’s LayerZero-powered bridge sparking a devastating $8.45 billion deposit run on Aave, the world’s largest decentralized lending platform. The mass withdrawals took place within 48 hours.
Stani Kulechov, founder and CEO of Aave Labs, defended Aave’s mathematical superiority over traditional finance at the Proof of Talk event in Paris last week. Rather than address the operational failures of a multimillion-dollar liquidity crisis that nearly shattered Aave’s insolvency protections, Kulechov decided to present the massive capital flight as empirical proof of the network’s “resilience.”
“Aave’s existing V3 infrastructure has experienced several market cycles,” he said, adding that “Aave has been very resilient during turbulent times.”
However, a closer look at the April crisis reveals that Aave’s survival rested less on flawless self-sustaining design and more on a chaotic and humane $300 million emergency rescue plan. The emergency recovery effort required a commitment of 25,000 ETH from the Aave DAO and a personal contribution of 5,000 ETH ($8.4 million) from Kulechov himself to avert disaster.
Shift the blame
Kulechov separated the core code of smart contracts from external infrastructure failures impacting the broader market.
“When it comes to development as well… there are very few, if any, issues in smart contracts in DeFi protocols in general,” Kulechov argued. “These are actually third-party dependencies related to more traditional security that could impact the entire DeFi space, as we have seen recently.”
Although technically accurate, the April hack began as an RPC spoofing and DDoS attack targeting LayerZero’s verification nodes on KelpDAO rather than a bug in Aave’s code. Risk analysts say Kuleshov’s defense skirts a harsher reality.
Blockchain risk modeling firm LlamaRisk later revealed that hackers used the exploit to create worthless collateral, deposit it into Aave, and drain wrapped authentic Ether (wETH), leaving Aave V3 saddled with an estimated $123.7 million in bad debt. Additionally, banking analysts at the Bank Policy Institute pointed out that Aave’s inadequate insurance revealed how DeFi platforms are vulnerable to bank runs to the detriment of their users.
Plan for V4
Kulechov recognized that the architectural threat of contagion requires a complete overhaul. To prevent future bridge failures from triggering systemic deposit operations, he noted that Aave Labs is using its upcoming V4 upgrade to fundamentally restructure its risk management.
Kulechov explained that Aave Labs is using its upcoming V4 technology upgrade to completely rethink risk management with the goal of preventing future bridge exploits from triggering deposit operations.
Kulechov explained that in the new version, a modular “hub-and-spoke” system will replace traditional token pooling, allowing the main protocol to autonomously charge localized risk premiums and freeze specific collateral lines before contagion can reach primary lending reserves.
“When you have a fully auditable and public system, anyone can inspect the code and also perform different types of risk analyzes based on that. I think that’s the key to creating resilient software,” he concluded.
The defining question for the mainstream future of DeFi remains whether institutional allocators will continue to neglect these multi-billion dollar “stress tests” while awaiting the launch of V4.
