If you’ve been watching the rsETH situation unfold over the last week, you’ve probably seen the headlines. A $292M bridge exploit, $13B of TVL fleeing Aave, stablecoin pools pinned at 100% utilization for days, and a slow-motion governance scramble that’s still going on as I write this.
It’s tempting to file it as “another DeFi hack” and move on. I don’t think we should. This one is unusually instructive, not because the hack itself was novel (it wasn’t, bridges keep getting exploited, and as I’ve said before, I think bridging is an anti-pattern), but because of what the response showed us about how DeFi actually works under stress. We got to see something here that’s hard to see anywhere else.
The hack is the trigger, not the story
A quick recap. On April 18, an attacker exploited Kelp DAO’s LayerZero-based bridge by feeding a forged cross-chain message into the lzReceive function. The bridge released 116,500 rsETH on mainnet without any corresponding burn on an L2. About 18% of the circulating supply, gone in one transaction. The attacker promptly deposited that unbacked rsETH onto Aave V3 as collateral, borrowed roughly $200M of WETH against it, and exited.
Aave’s contracts behaved exactly as designed. The oracle hadn’t yet caught up to the fact that rsETH’s backing had collapsed. The LTV was set to 93% in E-Mode. The loan went through. Hours later, when whales saw the bad debt forming, they ran. Within 24 hours, $6.6B had left the protocol. WETH utilization hit 100%, then USDC and USDT followed as panicked depositors pulled anything they could. By Monday, three of Aave’s largest pools were stuck at full utilization, and remaining depositors found themselves locked in.
That’s the surface story. The interesting part is what happened around it.
A rational outcome?
You might read the above and conclude this is just what happens when a big protocol gets hit by a big exploit. The bridge failed, bad collateral entered the system, depositors panicked, withdrawals froze. Cause and effect, nothing to see beyond the obvious. If that’s the read, the lesson is “bridges are risky” and we move on.
I don’t think that’s the full picture, and the reason it isn’t so is worth a few minutes.
Spark, the Sky-affiliated lending protocol, had deprecated rsETH as collateral back in January. They also kept higher max borrow rates on their ETH market, a policy that, in their own words, was “not very popular among ETH-loopers” but meant SparkLend held its liquidity through the whole event. Spark’s TVL went up by over a billion dollars while Aave’s was bleeding.
Same hack. Same market. Same external conditions. Different outcome.
Morpho’s exposure to rsETH was about $1M across two isolated markets. Their CEO posted a calm thread on the day of the exploit explaining that the architecture, where each market is its own discrete pair rather than a shared pool, contained the damage. Morpho’s other vaults were entirely unaffected. Same hack again, very different outcome.
So when we say the liquidity crunch at Aave is the rational outcome of a bridge hack, we have to ask: rational given what? The hack itself was external and unavoidable, sure. But the magnitude of damage at Aave specifically wasn’t. It was a product of decisions Aave had made, often months or years earlier, that compounded badly when the trigger arrived.
The hack provides the necessary condition. Aave’s choices provide the magnitude.
Code is law, but parameters are policy
Let’s look at this in layers, because once you separate them out, the situation makes a lot more sense.
There’s the code layer, Aave’s smart contracts. These executed perfectly. Withdrawals stopped at 100% utilization because the math says they have to. Liquidations didn’t fire because rsETH had no liquid market to clear them against. The code did exactly what the code was supposed to do. Code is law, as the saying goes, and the law worked.
Then there’s the parameter layer, the LTVs, the supply caps, the slope curves, the oracle choices. These aren’t code. They’re configuration that humans set within the bounds the code allows. In January, Aave governance passed proposal 434, raising rsETH’s E-Mode LTV from 92.5% to 93%. That sounds tiny, but it compressed the safety buffer from 28% down to 7%. With Spark’s 72% LTV on the same asset, the same exploit produces no bad debt at all. Aave’s choice, driven partly by the competitive race for LRT looping volume, produced a hole roughly four times larger than necessary.
Above that is the configuration layer, the bigger product decisions. Should rsETH be a collateral asset at all? Should it be in E-Mode with WETH? Should supply caps allow a single attacker to deposit $292M in one go? These are governance decisions with longer timescales, made by people weighing growth against risk.
And at the top is the meta-governance layer, who decides who decides. Who counts as a delegate, what the multisigs can do, which service providers do which work, how the rules-about-the-rules get changed.
Banking has these layers too. The difference is that in banking they’re entangled inside opaque institutions, and you only get to see them clearly during forensic post-mortems years after the fact. DeFi separates them onto explicit, public, contractually-mediated surfaces. You can watch each layer respond on its native timescale, with its own actors, in real time. That’s actually unusual, and worth paying attention to.
The wrong layer was sick at the wrong time
In Aave’s case, the code layer was healthy. The parameter layer was aggressive but not unreasonable in isolation. The configuration layer had accepted a risky asset, but lots of protocols accept risky assets. The thing that turned a recoverable event into an eight-day crisis was that the meta-governance layer wasn’t well.
In the six weeks before the exploit, Aave lost three of its four major non-Labs service providers. BGD Labs, the team that wrote and maintained Aave V3’s core code, gave notice in February and exited on April 1 after a public dispute about Aave Labs’ growing centralization. Chaos Labs, the risk curator responsible for setting and reviewing collateral parameters including the rsETH parameters, exited on April 6, twelve days before the exploit. The Aave Chan Initiative, the protocol’s primary governance and BD delegate for years, was winding down through the same period after a falling-out with Aave Labs over a swap fee dispute.
These exits weren’t related to the rsETH situation. They couldn’t have been; nobody knew it was coming. But they meant the people who would normally have been re-reviewing rsETH parameters in light of changing market conditions weren’t there to do it. The risk team that set the 93% LTV was gone before anyone could ask whether 93% still made sense.
Then on April 12, five days before the exploit, the “Aave Will Win” proposal passed with about 75% support. It clarified the economic relationship between Aave Labs and the DAO, redirecting all Aave-branded product revenue back to the DAO treasury in exchange for a $25M grant to fund Labs’ continued development. Necessary work, by most accounts. But it also meant 25% of the DAO actively dissented at the moment unified authority would matter most. ACI cast the largest single dissenting vote.
So when the crisis hit, the layers above the code couldn’t move. The risk team that should have been watching rsETH wasn’t there. The governance that should have been pushing emergency parameter changes was fragmented. The “dynamic Slope 2” rate mechanism that could have force-cleared the market through high borrow rates was capped at modest levels by design, a choice meant to prevent flash liquidations during normal volatility but which in a black swan let attackers and panicked borrowers keep liquidity trapped at low cost. The Umbrella safety module turned out to hold maybe $50M against $26B of TVL, about 0.2% coverage. That sounds shocking until you remember the DAO had chosen that level of capitalization explicitly, in exchange for higher yields elsewhere. Traditional banks operate under Basel III capital requirements of around 10-13%. The DAO had been making a tradeoff between resilience and yield, and got the answer to that tradeoff in real time.
Aave’s contracts were not compromised. The vulnerability was in everything above the contracts.
Who actually did the rescuing
Watch who showed up. Tether froze $344M based on law enforcement information. Arbitrum’s Security Council froze 30,766 ETH of the attacker’s funds, about $74M, in coordination with law enforcement. Circle’s Chief Economist personally filed a governance proposal on Aave’s forum asking for emergency rate parameter changes on USDC. Stani organized DeFi United, a TARP-style industry rescue fund with commitments from Lido, EtherFi, Mantle, Frax and others, totaling nearly 70,000 ETH within a few days.
None of these are the protocol’s own designed safety mechanisms. Umbrella, the thing Aave actually built for this scenario, is currently being argued about whether to even activate. It might never fire. The proposal on the table now is to pause it indefinitely.
There’s a temptation to read this as “centralized actors saved DeFi”, but I don’t think that’s quite the full picture either. Tether’s freeze function exists by design and has been there since 2017. Nobody is surprised it works. Arbitrum’s Security Council was set up explicitly to do exactly this; the multisig members are publicly listed, the trigger conditions documented. Mainnet, by contrast, didn’t intervene and won’t, and that non-action is the foundation of everything built on top of it. No one credible is suggesting Ethereum should roll back the attacker’s transactions. The credible commitment to non-intervention at the base layer is what makes the base layer trustworthy.
What we’re really seeing is each layer behaving according to its mandate. The layers that have explicit authority to act fast did so. The layers that have deliberately-slow authority moved deliberately. That’s the structure working as intended. Code is law at the bottom, policy is policy in the middle, politics is politics at the top. Each layer has its native actors and its native timescale. Circle engaging Aave’s parameter layer through a governance forum is the same kind of interaction that happens between asset issuers and lenders in traditional finance, just made explicit and contractually mediated. The novelty isn’t the centralized rescue. It’s that we got to watch every layer’s response, with timestamps, in public.
The MakerDAO comparison is the one that matters
Maker had its layer-failure crisis in 2020, Black Thursday. The code (auctions) worked correctly but produced terrible outcomes because the parameter layer (auction durations, keeper incentives) was wrong for the conditions. Bad debt formed, DAI nearly lost its peg, the protocol survived but barely.
It took Rune two years to diagnose that fixing parameters wasn’t enough. The meta-governance layer needed restructuring. Endgame, with its eventual split into Sky and the Stars, was specifically a meta-governance reform. It clarified who decides what, on which timescales, with which authority. Spark itself is a product of that restructure. Phoenix Labs builds Spark, Sky governs the boundaries, and the relationships between them are explicit and contractually defined. No service provider can quit the way BGD quit Aave, because Phoenix Labs isn’t an independent contractor. That structural choice is part of why Spark held up this week.
Aave is now sitting roughly where Maker was in 2020. The code worked. The parameters were aggressive. The configuration accepted bad collateral. The meta-governance is fractured. The question is whether Stani makes Rune’s diagnosis, that the layer needing fixing isn’t parameters or risk providers but the structure that decides those things, and whether he can drive a comparable restructure under crisis pressure rather than peacetime.
The “Aave Will Win” framework was a partial step in that direction. It clarified the Labs/DAO economic relationship, but it was authored before the crisis and addressed a different problem. The structural reform that this crisis actually calls for, succession planning for service providers, faster emergency parameter authority, properly-sized insurance with explicit capitalization targets, hasn’t happened yet. Whether it will is genuinely open. Stani’s style is more pragmatic-operator than visionary-public-intellectual, which is fine for shipping product but a different skill set than what Endgame required. Rune got to design Endgame in peacetime, with two years to write whitepapers and build consensus. Stani has to design Aave’s equivalent in wartime, with weeks before the competitive damage from this episode becomes permanent.
What I take from this
I don’t think the lesson is “DeFi failed” or “DeFi is becoming CeFi” or “DAOs don’t work”. All three are too broad to be useful, and the actual situation is more textured.
The lesson I take is this. Financial systems have always had layers, and the layers have always operated on different timescales with different authorities. Banking obscures this by entangling the layers inside institutions, so that when something goes wrong, the question of which layer failed is a forensic exercise that takes years. We’re still arguing about which layer of the 2008 crisis was the actual cause. DeFi exposes the layers by putting each one on its own surface. When something goes wrong, you can immediately see which layer failed, who engaged it, and on what timescale. That’s a kind of diagnostic clarity that’s been unavailable through most of financial history.
The Aave crisis is the cleanest example of this we’ve had so far. Healthy code, aggressive parameters, risky configuration, fractured meta-governance. The code being law didn’t help, because the law wasn’t the thing that needed changing. The interesting question for any protocol you might be using, including the ones currently absorbing capital from Aave, isn’t whether the contracts have been audited. It’s which layers are healthy, and which are quietly degrading while nobody’s looking.
We’re going to see this pattern again. Probably soon. Worth getting better at recognizing it.