Decentralized finance (DeFi) is recovering from a series of sophisticated exploits that have sparked intense debate over whether public blockchain protocols can truly handle systemic risk.
The crisis peaked in April 2026, when the operation of KelpDAO’s $292 million LayerZero-powered bridge caused a devastating $8.45 billion deposit on Aave, the world’s largest decentralized lending platform. The massive filming took place within 48 hours.
Stani Kulechov, founder and CEO of Aave Labs, defended Aave’s mathematical superiority over traditional finance at the Proof of Talk event in Paris last week. Instead of addressing the operational failures of a multi-million dollar liquidity crisis that nearly breached Aave’s insolvency shields, Kulechov pivoted to frame the massive capital flight as empirical evidence of the network’s “resilience.”
“Aave’s existing V3 infrastructure has seen multiple market cycles,” he said, adding that “Aave has been very resilient during very turbulent times.”
A closer look at the April crisis, however, reveals that Aave’s survival depended less on flawless autonomous design and more on a chaotic, $300 million, human-led emergency response program. The disaster recovery effort required 25,000 $ETH pledge of the Aave DAO and a personal 5,000 $ETH Contribution ($8.4 million) from Kulechov himself to prevent a disaster.
Averting blame
Kulechov separated the core code of smart contracts from the external infrastructure failures that impacted the broader market.
“Also when it comes to development… there are very few problems in the smart contracts of the DeFi protocols in general,” Kulechov argued. “They’re actually third-party dependencies associated with more traditional security that could have an impact on the DeFi space, as we’ve seen recently.”
Although technically accurate, the April hack started with an RPC spoofing and DDoS attack targeting LayerZero’s authentication nodes on KelpDAO rather than a bug in Aave’s code. Risk analysts said Kulechov’s defense sidesteps a harsher reality.
Blockchain risk modeling firm LlamaRisk later revealed that the hackers used the exploit to obtain worthless collateral, deposit it into Aave, and drain authentically wrapped Ether (wETH), leaving Aave V3 with an estimated $123.7 million in bad debt. Additionally, banking analysts at the Bank Policy Institute pointed out that Aave’s inadequate insurance exposed how DeFi platforms are vulnerable to bank runs to the detriment of their users.
Blueprint for V4
Kulechov admitted that the architectural contamination threat requires a complete overhaul. To prevent future bridge failures from leading to systemic deposit runs, he noted that Aave Labs is using the upcoming V4 upgrade to fundamentally restructure its risk management.
Kulechov explained that Aave Labs is using the upcoming V4 technology upgrade to completely redesign risk management with the aim of preventing future bridging exploits from leading to deposits.
Kulechov explained that under the new version, a modular hub-and-spoke system will replace traditional token pooling, allowing the core protocol to autonomously levy localized risk premiums and freeze specific collateral lines before contagion can reach primary credit reserves.
“If you have a fully auditable and public system, anyone can actually inspect the code and do different types of risk assessments based on that. I think this is the key to building resilient software,” he concluded.
Whether institutional allocators will continue to ignore these multi-billion dollar “stress tests” as they await the launch of V4 remains the defining question for the mainstream future of DeFi.