Is DeFi dead? One of the leading lending platforms of decentralized finance, Aave, has been torpedoed by a de-facto run. It is one of multiple cybersecurity failures hitting the industry. Dead or reborn is not fated but a choice, by the many people in blockchain finance. But the time of casual disregard for fusty TradFi protections is over.

As a lending protocol, Aave is kind of like a giant crypto bank, where anyone can deposit coins and earn interest, and anyone can also borrow coins if they put up enough collateral. It’s all run by code instead of bankers, and until recently it was seen as one of the safest places in DeFi.

Now imagine a special kind of crypto token – call it “staked ETH points” – that’s supposed to be backed 1:1 by real ether locked somewhere safe. A separate project (KelpDAO) issued those points and used another piece of infrastructure (LayerZero, a type of bridge that moves tokens between blockchains) to move them around. The important bit: everyone treated those points as solid, reliable collateral, including Aave.

Then someone found a way to break that setup. On Saturday, April 18, they managed to pull out a huge amount of those “staked ETH points” without proper backing, and then went to crypto lending platforms like Aave and said: “Here’s my collateral, please lend me real ETH and stablecoins against it.” The platforms couldn’t tell the difference between good and bad tokens, so they handed over hundreds of millions of dollars in real assets.

By the time the problem was noticed and the bad token was blocked, it was too late. The attacker had borrowed real money and disappeared. Perhaps about $290 million’s worth was stolen. What remained inside Aave and other platforms was a hole: lots of fake or worthless collateral, perhaps as much as $230 million’s equivalent, and a big chunk of loans that will never be repaid.

Run run run

On paper, Aave still has more assets than debts. In theory, that means it’s not bankrupt. But that is not what users experience.

Because of the exploit and the panic it triggered, a lot of big players rushed to withdraw their money from Aave. That drained the pools of assets that everyone shares. For many key coins – especially ether and major stablecoins like USDT (Tether) and USDC (Circle) – almost all the money in the pool ended up being lent out, and almost no spare liquidity was left.

If you deposit money into a pooled lending system, your ability to withdraw depends on some cash being left in the pool. When that “available cash” goes close to zero, you simply cannot get your money out, even if you’re technically entitled to it. The code won’t let you withdraw what isn’t there.

That is exactly what happened. For some markets on Aave, utilization – the share of deposits that are lent out – shot up to nearly 100%. (Unlike in traditional banking, there is no reserve requirement.) Users opened the app and found they couldn’t withdraw. Some tried a messy workaround: borrowing different coins against their stuck deposits, then selling those new coins elsewhere at a loss just to escape. In other words, they accepting taking a haircut.

To make matters worse, people who had borrowed stablecoins against ether as collateral suddenly could not repay their loans normally either. The markets where their collateral sat were frozen: about $5 billion worth of USDT and USDC are, for now, frozen, like deposits that a bank won’t redeem.

If ether’s price had crashed during this period, Aave’s systems would have struggled to liquidate positions, which could have created even more bad debt. Fortunately that hasn’t happened.

Nonetheless, from the outside, what has happened on Aave looks and feels a lot like a bank run: the first to rush out get paid, everyone else is stuck. Users have pulled more than $6 billion of ETH-denominated positions from the platform since news of the exploit got out. Aave’s TVL, total value locked, fell from about $26 billion to $20 billion.

Three problems

While industry insiders are still investigating the details of what’s happened, three big problems are obvious.

First, as we’ve said before, it’s the plumbing that matters. But in DeFi, the plumbing is treated as an afterthought. Most people, and most risk models, focus on the visible token: how volatile it is, how much you can safely borrow against it, what price feeds are used. But the real risk was hidden below: who runs the bridge that moves the token between chains, who holds the keys, how that system can fail, and what happens if it does.

When Aave accepted this “staked ETH” token as collateral, it wasn’t just trusting the token. It was trusting an entire stack of software and operations it didn’t control or deeply understand. That’s like a bank accepting a new type of mortgage asset without really examining the company that created it, the custodian that holds the paperwork, and the system that tracks ownership. Remember subprime mortgages? The evils of TradFi that DeFi was supposed to transcend?

Second, shared pools are transmission engines. Aave and similar platforms use shared pools: everyone deposits into one big pot, everyone borrows from the same pot, and interest rates adjust automatically. That’s efficient and convenient. It also means that when a single type of collateral blows up, its effects spread everywhere.

In this case, a problem with one token tied to ether ended up freezing markets in ether itself and even major stablecoins. People who had never heard of KelpDAO or LayerZero suddenly found they couldn’t move their USDT or USDC in Aave. Their only mistake was using the same pool as everyone else. Ah, remember how Lehman didn’t separate customer assets under its prime brokerage business, and we all had to learn how to pronounce “rehypothecation”?

Third, who’s on the hook? When a big hole appears, someone has to pay to fill it. In traditional finance, we have a whole hierarchy: shareholders, junior bondholders, senior creditors, deposit insurance, government backstops.

In Aave’s case, there is a sort of insurance system called Umbrella. People stake ether into a pool that can be slashed (cut) to cover bad loans, in exchange for rewards. The problem is that Umbrella was designed for relatively ordinary problems – like sudden price swings and liquidation cascades – not for a single event that might wipe out hundreds of millions of dollars linked to a bridge bug or misconfiguration.

So now the system is in a bind. If the loss is larger than this insurance pool, the platform’s community treasury might have to step in. If even that isn’t enough, some of the loss may have to be pushed onto ordinary depositors. The rules for who gets hurt, and by how much, are being figured out on the fly. The DeFi industry must use this disaster to establish, uh, rules? Enforceable by law, not just code?

Vercel and centralized compute

Governance is not just specific to bank-like runs in DeFi. Cybersecurity problems are plaguing all of DeFi. In this regard, crypto isn’t difference from TradFi, where the same risks are manifest. But crypto is, well, crypto native, which makes the industry even more vulnerable.

While the Aave mayhem was going down, a separate incident occurred. Vercel, a popular cloud service that many crypto projects use to host their websites, reported a security breach. Attackers may have accessed internal systems, including keys and deployment credentials for customer projects.

What this means: even if the smart contracts running your money are safe, the website you use to interact with them could be compromised. A hacker who controls a project’s frontend can trick you into signing malicious transactions that drain your wallet, all while showing you a normal‑looking interface.

What else this means: many “decentralized” projects still rely heavily on centralized, traditional tech companies for critical parts of their stack. So even if the blockchain is resistant to censorship or tampering, the path you use to reach it might not be.

For ordinary users, that’s yet another reason to feel that DeFi is unsafe: hacks are coming not just from clever contract exploits, but from weak links in hosting, software supply chains, and development tools.

Sink or swim

Again, not limited to crypto, but crypto is more vulnerable. Specifically, the DeFi story is no longer viable. Putting finance on-chain doesn’t make it safer. Clever software engineering plus a few audits is not enough to handle serious amounts of money. Cutting out bureaucracy and oversight, without replacing them with equally robust software, is efficiency-maxxing – for criminals.

Traditional finance has become disparaged as “TradFi” because it too experienced this kind of blowup. And more. Controls, capital buffers, governance, and regulation didn’t materialize because anyone asked for them: they came after many painful lessons. DeFi’s undergoing a similar education, but a lot faster, and visibly, as the transactions occur as hashes visible to everyone on-chain. That transparency is a feature of DeFi, one of its best attributes. But code alone isn’t protecting the marketplace. Code is not law; it’s just code.

Once the dust settles, how does DeFi recover?

• First, we may see a winnowing of the kind of tokens that circulate. People will trust plain ether, major stablecoins, and well-scrutinized tokens. Others will be eyed as a risk. Bridged tokens, complex derivatives, and many restaking products will be tagged as risky; they won’t vanish but they will be restricted to the shark tank, not the pool for the general public.

• Teams have to undergo root and branch reform. It’s time to get Old Testament on those teams that laugh at compliance culture or think speed is all you need.

• Insurance and other backstops need to be sized to match the level of flows transacting across a platform. TradFi bankers always chafe against capital reserve rules, so this isn’t a dynamic unique to crypto, but the pendulum in DeFi has to swing a little harder.

• Institutionalization in this space has been on the rise for the past two years, enabled by new regulation and licensing regimes. A lot of that activity is going to DLT rather than DeFi, to protocols such as Canton Network that allow like-minded institutions to transact among each other, with no riff-raff allowed. Institutions can benefit from DeFi’s greater reach and liquidity, but they need confidence to venture here.

DeFi needs to work with institutions to learn what they can without sacrificing the promise of permissionless, decentralized, efficient capital markets. There are plenty of traditional brokers, market makers, and traders who want to play in DeFi-like environments: the shark tank is fine, so long as everyone knows what’s swimming in there, and the sharks can’t jump into other pools.

These things will take time, the one thing that DeFi doesn’t have. The immediate issue is restoring liquidity so user stablecoins on deposit can be withdrawn. Aave will have to find a way to convince users not to pull out, but it has to restore their ability to do so. Beyond one platform, DeFi should rethink the story about itself. Otherwise it will be remembered as just another speculative bubble.