Aave Founder Defends a $8.45 Billion Withdrawal Squeeze, V4 Upgrade Plans to Rebuild Its Risk Management System

BlockBeats news. June 8. This April, KelpDAO’s LayerZero-based cross-chain bridge was hit by an attack of $292 million, triggering a deposit run of up to $8.45 billion on the DeFi lending protocol Aave within 48 hours. In the face of outside questions about the protocol’s risk-control capabilities, Aave founder and CEO Stani Kulechov said the incident actually proves Aave’s “resilience”.

Speaking at the Proof of Talk conference in Paris, Kulechov said that Aave V3 has undergone multiple market-cycle tests and still remained stable under extreme market conditions. He believes that recent DeFi security incidents mainly stem from third-party infrastructure rather than vulnerabilities in the protocol’s own smart contracts.

However, according to disclosures from risk analysis firm LlamaRisk, the attackers exploited a vulnerability in KelpDAO to mint worthless collateral, deposited it into Aave, and then extracted real wETH—leaving Aave V3 with bad debt of approximately $123.7 million. To address the crisis, Aave DAO urgently reallocated 25,000 ETH, and Kulechov himself also additionally injected 5,000 ETH, bringing the overall rescue size to about $300 million.

In response to the systemic risks that were exposed, Aave is planning to rebuild its risk management architecture through an upgrade to V4. The new version will adopt a modular “Hub-and-Spoke” design, replacing the traditional liquidity-pool model, so the protocol can implement independent risk pricing for different types of collateral and freeze specific collateral assets before risk spreads—reducing the likelihood of cascading deposit runs triggered by cross-chain bridge failures.