Aave Plans V4 Risk Overhaul After $292 Million KelpDAO Bridge Attack Triggers $8.45 Billion Bank Run

Aave is planning a V4 upgrade to redesign its risk management after an April exploit of KelpDAO’s LayerZero-based cross-chain bridge led to a rapid withdrawal wave on the DeFi lending protocol and left Aave V3 with bad debt.

According to ChainCatcher, the $292 million attack triggered up to $8.45 billion in deposit outflows from Aave within 48 hours.

Aave founder and CEO Stani Kulechov said at the Proof of Talk event in Paris that the incident demonstrated Aave’s resilience, arguing that recent DeFi security failures have largely stemmed from third-party infrastructure rather than vulnerabilities in protocols’ own smart contracts.

Risk analysis firm LlamaRisk said the attacker exploited a KelpDAO flaw to mint worthless collateral, deposit it into Aave, and withdraw real wETH, leaving Aave V3 with about $123.7 million in bad debt.

In response, Aave DAO deployed 25,000 ETH in emergency funds, and Kulechov added another 5,000 ETH, bringing the total rescue effort to about $300 million.

Aave’s planned V4 upgrade would introduce a modular “hub-and-spoke” design to replace the traditional pooled-liquidity model. The protocol aims to price risk independently for different collateral types and freeze specific collateral before risk spreads, seeking to reduce the chance that cross-chain bridge failures trigger cascading runs.