Aave founder Stani Kulechov has defended the decentralized lending protocol after an $8.45 billion withdrawal wave followed a major DeFi exploit earlier this year.
Speaking at the Proof of Talk conference in Paris last week, Kulechov argued that Aave remained operational during one of the most severe stress events in the decentralized finance world, despite a market-wide crisis caused by the April exploitation of KelpDAO’s LayerZero-powered bridge.
According to Kulechov, Aave’s V3 infrastructure has already been tested by multiple periods of market volatility.
“Aave has been very resilient in very turbulent times,” he said, discussing the protocol’s performance during the disruption.
The comments came after a security incident that spread far beyond the protocol from which it originated. Risk researchers later traced the exploit to an RPC spoofing and DDoS attack targeting LayerZero authentication nodes connected to KelpDAO.
While the attack did not involve a flaw in Aave’s own smart contracts, the fallout quickly reached the lending platform as users rushed to withdraw funds.
Aave survived with emergency aid
Within 48 hours of the exploit, Aave exited approximately $8.45 billion in deposits, causing one of the largest liquidity shocks ever seen in DeFi. While the protocol continued to function, the recovery effort required significant intervention from both the community and its leadership.
Aave DAO has pledged 25,000 $ETH as part of an emergency aid package. Kulekhov personally contributed another 5,000 $ETHestimated at the time to be around $8.4 million, which helped stabilize the situation when the protocol was under increasing pressure.
During his remarks, Kulechov distinguished between flaws in infrastructure support and vulnerabilities within DeFi applications themselves.
He argued that security incidents increasingly stem from external dependencies rather than flaws in key lending protocols. According to Kulechov, the security of smart contracts for major DeFi applications has improved significantly, while risks often arise from third-party systems that interact with these protocols.
Not everyone agrees with that interpretation. Blockchain risk modeling firm LlamaRisk reported that attackers used the KelpDAO exploit to create worthless collateral, which was then deposited into Aave before authentically wrapped Ether was withdrawn. The company estimated that the incident left Aave V3 with approximately $123.7 million in bad debt.
A separate analysis from the Bank Policy Institute concluded that the episode exposed weaknesses in DeFi insurance schemes and demonstrated how large-scale withdrawals can create pressures comparable to traditional bank runs.
The redesign of V4 focuses on contamination risk
While defending Aave’s performance, Kulechov acknowledged that interconnected DeFi infrastructure creates new forms of systemic risk that require architectural changes.
To address these concerns, Aave Labs is preparing its V4 upgrade, which replaces traditional liquidity pooling with a modular hub-and-spoke framework. According to Kulechov, the new design will enable the protocol to apply localized risk premia and isolate problematic collateral before losses spread across credit markets.
He argued that public blockchain systems provide an advantage because code and risk models can be openly inspected by researchers and market participants.
At the same time, Aave Labs continues to expand its regulated activities. Last month, subsidiaries Push Labs Limited and Push Virtual Assets Limited received approval from the UK Financial Conduct Authority to operate as registered crypto exchange providers.
The registrations complement the group’s existing FCA Electronic Money Institution authorization and follow Aave Labs’ MiCA authorization in the European Union in November 2025.