Stani Kulechov Defends Aave After $8.45B DeFi Bank Run Shock

Aave founder Stani Kulechov has defended the decentralized lending protocol after an $8.45 billion withdrawal wave followed a major DeFi exploit earlier this year.

Speaking at the Proof of Talk conference in Paris last week, Kulechov argued that Aave remained operational through one of the most severe stress events in decentralized finance despite a market-wide crisis triggered by the April exploit of KelpDAO’s LayerZero-powered bridge.

According to Kulechov, Aave’s V3 infrastructure has already been tested through multiple periods of market volatility.

“Aave has been really resilient during really turbulent times,” he said while discussing the protocol’s performance during the disruption.

The comments came after a security incident that spread far beyond the protocol where it originated. Risk researchers later traced the exploit to an RPC-spoofing and DDoS attack targeting LayerZero verifier nodes connected to KelpDAO.

Although the attack did not involve a flaw in Aave’s own smart contracts, the fallout quickly reached the lending platform as users rushed to withdraw funds.

Aave survived with emergency support

Within 48 hours of the exploit, roughly $8.45 billion in deposits left Aave, creating one of the largest liquidity shocks seen in DeFi. While the protocol continued operating, the recovery effort involved significant intervention from both the community and its leadership.

Aave DAO committed 25,000 ETH as part of an emergency response package. Kulechov personally contributed another 5,000 ETH, valued at about $8.4 million at the time, helping stabilize the situation as the protocol faced mounting pressure.

During his remarks, Kulechov drew a distinction between failures in supporting infrastructure and vulnerabilities within DeFi applications themselves.

He argued that security incidents increasingly stem from external dependencies rather than flaws in the core lending protocols. According to Kulechov, smart contract security across major DeFi applications has improved considerably, while risks often emerge from third-party systems that interact with those protocols.

Not everyone agrees with that interpretation. Blockchain risk modeling firm LlamaRisk reported that attackers used the KelpDAO exploit to create worthless collateral, which was then deposited into Aave before authentic wrapped Ether was withdrawn. The firm estimated the incident left Aave V3 with approximately $123.7 million in bad debt.

A separate analysis from the Bank Policy Institute concluded that the episode exposed weaknesses in DeFi insurance arrangements and demonstrated how large-scale withdrawals can create pressures similar to traditional bank runs.

V4 redesign targets contagion risk

While defending Aave’s performance, Kulechov acknowledged that interconnected DeFi infrastructure creates new forms of systemic risk that require architectural changes.

To address those concerns, Aave Labs is preparing its V4 upgrade, which replaces traditional liquidity pooling with a modular hub-and-spoke framework. According to Kulechov, the new design will allow the protocol to apply localized risk premiums and isolate problematic collateral before losses spread across lending markets.

He argued that public blockchain systems provide an advantage because code and risk models can be openly inspected by researchers and market participants.

At the same time, Aave Labs continues expanding its regulated operations. Last month, subsidiaries Push Labs Limited and Push Virtual Assets Limited received approval from the UK Financial Conduct Authority to operate as registered cryptoasset exchange providers.

The registrations complement the group’s existing FCA Electronic Money Institution authorization and follow Aave Labs’ MiCA authorization in the European Union in November 2025.