Decentralized finance (DeFi) is recovering from a series of sophisticated exploits that have sparked an intense debate over whether public blockchain protocols can truly address systemic risks.
The crisis peaked in April 2026, when the exploitation of $292 million of KelpDAO’s LayerZero-powered bridge triggered a devastating $8.45 billion deposit on Aave, the world’s largest decentralized lending platform. The massive withdrawals happened within 48 hours.
Stani Kulechov, founder and CEO of Aave Labs, defended Aave’s mathematical superiority over traditional funding at the Proof of Talk event in Paris last week. Instead of addressing the operational failures of a multimillion-dollar liquidity crisis that nearly breached Aave’s insolvency shields, Kulechov turned to frame the massive capital flight as empirical evidence of the network’s “resilience.”
“Aave’s existing V3 infrastructure has seen multiple market cycles,” he said, adding that “Aave has been really resilient in really turbulent times.”
However, a closer look at the April crisis reveals that Aave’s survival depended less on flawless autonomous design and more on a chaotic, human-led $300 million bailout. That relief effort required a pledge of 25,000 ETH from Aave DAO and a personal contribution of 5,000 ETH ($8.4 million USD) from Kulechov himself to avert the disaster.
Denies blame
Kulechov separated core smart contract code from the external infrastructure failures that affect the broader market.
“When it also comes to development… there are very few, indeed any, issues in DeFi protocols’ smart contracts in general,” Kulechov argued. “They’re actually third-party dependencies that are related to more traditional security that can have an impact across the DeFi space, as we’ve seen recently.”
While technically accurate, the April hack began with an RPC spoofing and DDoS attack targeting LayerZero’s verifier nodes on KelpDAO rather than a bug in Aave’s code. Risk analysts said Kulechov’s defense sidesteps a harsher reality.
Blockchain risk modeling firm LlamaRisk later revealed that the hackers used the exploit to create worthless security, deposit it in Aave and drain authentic wrapped Ether (wETH), leaving Aave V3 saddled with an estimated $123.7 million in bad debt. Furthermore, banking analysts at the Bank Policy Institute pointed out that Aave’s inadequate insurance exposed how DeFi platforms are vulnerable to bank-running to the detriment of their users.
Plan for V4
Kulechov admitted that the architectural threat of contamination requires a complete overhaul. To prevent future bridge failures from triggering systemic deposit runs, he noted, Aave Labs is using its upcoming V4 upgrade to fundamentally restructure its risk management.
Kulechov explained that Aave Labs is using its upcoming V4 technology upgrade to completely redesign risk management with the goal of preventing future bridge exploits from triggering deposit runs.
Kulechov explained that under the new version, a modular “hub-and-spoke” system will replace traditional token pooling, allowing the core protocol itself to charge local risk premiums and freeze specific collateral lines before contagion can reach the primary lending reserves.
“When you have a fully auditable and public system, anyone can actually inspect the code and also do different kinds of risk analysis based on it. I think that’s the key to building resilient software,” he concluded.
Whether institutional allocators will continue to overlook these multi-billion dollar “stress tests” while waiting for V4 to launch remains the crucial question for DeFi’s mainstream future.
