Aave chief defends protocol's 'resilience' after $8.45 billion bank run

Decentralized finance (DeFi) is recovering from a string of sophisticated exploits that have triggered an intense debate over whether public blockchain protocols can truly handle systemic risk.

The crisis peaked in April 2026, with the $292 million exploit of KelpDAO’s LayerZero-powered bridge triggered a devastating $8.45 billion deposit run on Aave, the world’s largest decentralized lending platform. The massive withdrawals occurred within 48 hours.

Stani Kulechov, founder and CEO of Aave Labs, defended Aave’s mathematical superiority over traditional finance at the Proof of Talk event in Paris last week. Rather than addressing the operational failures of a multi-million dollar liquidity crunch that nearly broke Aave’s insolvency shields, Kulechov pivoted to frame the massive capital flight as empirical proof of the network’s “resilience.”

"Aave's existing V3 infrastructure has seen multiple market cycles,” he said, adding that “Aave has been really resilient during really turbulent times."

However, a closer look at the April crisis reveals that Aave’s survival relied less on flawless autonomous design and more on a chaotic, human-led $300 million emergency bailout. The emergency recovery effort required a 25,000 ETH pledge from the Aave DAO and a personal 5,000 ETH ($8.4 million) contribution from Kulechov himself to stave off disaster.

Deflecting the blame

Kulechov separated core smart contract code from the external infrastructure failures impacting the wider market.

"When it comes to development as well... there are very few, actually any sort of issues in DeFi protocols' smart contracts generally," Kulechov argued. "They are actually third-party dependencies that are related to more traditional security that might have an impact across the DeFi space, as we've seen recently."

While technically precise, the April hack began with an RPC-spoofing and DDoS attack targeting LayerZero’s verifier nodes on KelpDAO rather than a bug in Aave's code. Risk analysts said that Kulechov’s defense side-steps a harsher reality.

Blockchain risk modeling firm LlamaRisk later revealed that the hackers used the exploit to mint worthless collateral, deposit it into Aave, and drain authentic wrapped Ether (wETH), leaving Aave V3 saddled with an estimated $123.7 million in bad debt. Furthermore, banking analysts at the Bank Policy Institute pointed out that Aave's inadequate insurance exposed how DeFi platforms are vulnerable to bank runs in detriment of their users.

Blueprint for V4

Kulechov did concede that the architectural threat of contagion requires a complete overhaul. To prevent future bridge failures from triggering systemic deposit runs, he noted that Aave Labs is using its upcoming V4 upgrade to fundamentally restructure its risk management.

Kulechov explained that Aave Labs is using its upcoming V4 tech upgrade to entirely redesign risk management with the aim of preventing future bridge exploits from triggering deposit runs.

Kulechov explained that under the new version, a modular "hub-and-spoke" system will replace traditional token pooling, enabling the core protocol to autonomously levy localized risk premiums and freeze specific collateral lines before contagion can reach primary lending reserves.

"When you have a completely auditable and public system, anyone can actually inspect the code and also do different kinds of risk analysis based on that. I think that is the key to building resilient software," he concluded.

​Whether institutional allocators will continue to overlook these multi-billion dollar "stress tests" while waiting for V4 to launch remains the defining question for DeFi's mainstream future.