Original author:Varys Capital venture capital director Tom Dunleavy

Compiled by｜Odaily Planet Daily（@OdailyChina）；

Translator｜Azuma（@azuma_eth）

A week ago, the rsETH bridging protocol based on LayerZero from KelpDAO suffered a hacker attack, resulting in losses of up to $292 million. Subsequently, the stolen rsETH was deposited in Aave as collateral, leaving Aave with approximately $196 million in bad debts, which led to an evaporation of $13 billion in total value locked (TVL) across the entire DeFi market.

Two weeks prior, a key leakage incident caused by a social engineering attack from North Korean hackers on the derivative protocol Drift Protocol on Solana also resulted in a loss of $285 million.

These two incidents within three weeks caused permanent losses totaling $577 million. The USDC market on Aave saw its utilization rate exceed 99.87% for four consecutive days, while the deposit interest rate skyrocketed to 12.4%. Gordon Liao, the chief economist at Circle, proposed a governance proposal to increase the borrowing limit fourfold, just to alleviate the queuing situation.

For users who were accustomed to depositing stablecoins in the DeFi lending market at interest rates of 4% - 6%, a crucial question now arises — are these yields still reasonable? A few weeks before the Kelp DAO incident, Santiago R Santos raised this question during a podcast with Blockworks, which merits further exploration — whether we have received reasonable compensation for the DeFi risks we undertake, and what the reasonable interest margin should be in the future.

How Traditional Finance Prices Credit Risk

The yield of any corporate bond is a combination of various compensations. The most critical formula in this analysis is — Yield = Risk-free rate + (Default Probability × Default Loss Rate) + Risk Premium + Liquidity Premium.

The risk-free rate (Rf) is based on matched-term U.S. Treasuries; "Default Probability × Default Loss Rate" (PD × LGD) represents expected loss, where the default loss rate is calculated as "1 - Recovery Rate"; the risk premium compensates for the uncertainty of expected losses — even if two bonds have the same PD and LGD, if their outcome distributions are wider, their pricing will differ; the liquidity premium compensates for exit costs.

Moody's long-term data since 1920 provides a benchmark:

• U.S. speculative-grade bond default rate: long-term average 4.5%, current 3.2% over the past 12 months, expected to rise to 4.1% by Q1 2026;
• Expected recovery rate for unsecured high-yield bonds: historically about 40%, corresponding to LGD ≈ 60%;
• Expected loss on high-yield bonds: 4.5% × 60% = 2.7%/year (long-term average);
• Default rate for private credit: KBRA projects 3.0% for 2026;
• Recovery rate for private credit: about 48% (KBRA 2023-2024 data);
• Recovery rate for secured leveraged loans: historically about 65%–75%;

The Current Yield Ladder in Traditional Finance

Now let's look at the current actual data. The yield on 10-year U.S. Treasuries is 4.29%. As of April 2026, the spreads of various credit assets from ICE BofA are as follows.

The overall pattern is intuitive: from government debt to investment grade, then to speculative grade and subprime commercial real estate, as the capital structure shifts downwards, the yields gradually rise to compensate for the default probability and severity of loss. Direct loan yields are approximately 9%, not because the default rates are significantly higher, but because the liquidity premium of holding non-liquid private assets is real.

Looking at Aave's USDC rates before the Kelp DAO incident, they were around 5.5%, sitting between investment grade and B-rated high-yield bonds; meanwhile, Morpho (managed through selected Vault) yields about 10.4%. These two figures cannot simultaneously accurately reflect the same underlying risk.

DeFi has "Defaults" that Do Not Exist in Traditional Finance

Traditional credit defaults are relatively straightforward: when a borrower defaults, creditors can accelerate debt maturity, restructure, and liquidate assets. DeFi has no restructuring mechanism, only exploits, with three main failure modes.

Mode One: Smart Contract Vulnerabilities

Defects in the code (re-entrancy attacks, input validation errors, lack of access control, etc.) allow attackers to siphon off funds. Historical recovery rates: for white hats returning funds, approximately 5%–15%; for North Korean hackers, nearly 0%.

The return of the entire $611 million from the Poly Network (2021) attacker is an extreme exception. Losses from Ronin ($625 million) and Wormhole ($325 million) were covered by the projects or institutions involved, which essentially constitutes a shareholder bailout rather than recovery.

Mode Two: Oracle Manipulation and Governance Attacks

By manipulating low liquidity DEX pools to pollute the price source, or through governance attacks, using malicious proposals to siphon off funds. Beanstalk lost $182 million in 2022 due to such an incident. These types of events are partially reversible, but creditor rights often turn into claims on "worthless tokens."

Mode Three: Cascading Effects of Composability

This is the failure mode of KelpDAO and is the most dangerous because it is the hardest to audit.

• Protocol A issues LST/re-staked tokens;
• Protocol B accepts them as collateral;
• Protocol C is responsible for cross-chain bridging;

If any link encounters an issue, downstream assets become completely "orphans." The attacker does not need to attack Aave directly; simply attacking rsETH suffices.

The commonality among these three modes is that once a problem arises, crashes often happen within minutes, not quarters. There are no negotiations, no restructuring, no buffers. Code is law, and code errors mean near-total loss. Aave V3's bad debt on rsETH increased from $0 to $196 million in just about 4 hours. In contrast, the median time for a BB-rated default to go from stress signals to restructuring is 14 months.

What Do Loss Data Reveal?

Chainalysis pointed out an interesting phenomenon in its 2025 report: despite the total value locked (TVL) in the DeFi market growing from $40 billion at the beginning of 2024 to about $175 billion by October 2025, specific losses from DeFi attacks were close to their low point in 2023. The $3.4 billion in crypto thefts in 2025 primarily came from CEX (with Bybit alone accounting for $1.5 billion) and personal wallets (44%, compared to just 7% in 2022).

At first glance, you might conclude that DeFi is becoming safer from this chart. This is somewhat true. Smart contract audits have matured; bounty programs like Immunefi now protect over $100 billion of user funds; cross-chain bridge architectures are gradually introducing time locks and multi-party verification mechanisms.

However, the actual situation in 2026 tells a different story. On April 1, Drift lost $285 million; on April 18, KelpDAO lost $292 million. Two incidents of nine-digit magnitude occurred within 18 days, both targeting weaknesses in composability rather than core lending primitives. Based on average TVL calculations, the annualized loss rate for DeFi in recent years has approximately been as follows.

• 2024: about $500 million in DeFi-specific losses / $75 billion average TVL = 0.67% annualized loss rate;
• 2025: about $600 million / $120 billion average TVL = 0.50% annualized loss rate;
• 2026 to date (annualized): if deriving annual losses from Q2 projections, losses are about $577 million / $95 billion TVL * 4 = approximately 2.0% to 2.5%;

If we assume a forward-looking annual default probability (PD) for high-quality DeFi lending is set at 1.5% to 2.0%, and the default loss rate (LGD) is set at 90% (the average recovery rate from direct exploit attacks without external asset liability backing is 5% to 15%), then the expected loss would be 1.35% to 1.80% per year.

This level is already higher than high-yield bonds (HY), and this does not account for uncertainty, liquidity constraints, regulatory asymmetries, and the additional premiums from composability contagion structures themselves.

Building DeFi Risk Premium from Scratch

From this point, we will apply the bond pricing method to attempt to price a reasonable yield for a quality DeFi stablecoin deposit — referring specifically to overcollateralized lending offered to retail and quantitative borrowers via Aave or Compound on the Ethereum mainnet, with the denominated asset being USDC.

As shown in the above figure, we started with the 10-year U.S. Treasury benchmark and constructed the reasonable yield upward. The framework is based on the Duffie-Singleton credit spread decomposition and adjusted for DeFi-specific failure modes.

The components of this pricing model are as follows:

• Risk-free rate (10Y U.S. Treasury): +4.30%;
• Technical expected loss (PD × LGD): +1.50%;
• Oracle manipulation risk: +0.75%;
• Governance/administrator key risk: +1.00%;
• Cascading risk of composability (similar to Kelp DAO): +1.25%;
• Regulatory asymmetry risk: +1.25%;
• Stablecoin de-pegging tail risk: +0.50%;
• Liquidity premium: +0.50%;
• Risk premium (model uncertainty): +1.50%;

The final derived reasonable yield is at least 12.55%.

Therefore, for quality DeFi stablecoin supplies on leading protocols, the reasonable interest rate should not be lower than 13%. For positions with clear insurance (such as Nexus Mutual coverage, reserves of Umbrella-type protocols), it can be lower; for long-tail protocols, new deployment markets, or exposures involving re-staking and cross-chain structure, it should be higher.

Conclusion

In conclusion, we arrive at the following points.

First, demand reasonable compensation. If you are lending USDC in DeFi at a 5% rate, you are essentially pricing in a BB-rated credit risk that is technically and in terms of composability inferior to a CCC-rated risk. The 9% to 12% yields from Morpho-type selected Vault markets are closer to the reasonable liquidation price, although they also introduce issues of manager selection and transparency.

Second, move up the capital structure. Overcollateralized lending based on high-quality collateral (ETH, wBTC, market-validated LST) has a significantly lower risk premium under the premise of having oracle redundancy, protocol-level insurance layers, and no cross-chain exposure. If direct access is possible, this equates to "investment-grade assets" in DeFi.

Third, correctly price tail risks. The KelpDAO attack was not a black swan, but rather a foreseeable failure mode within multi-chain and re-staking structures. The Drift incident is essentially the same in nature, just involving different participants. The second quarter of 2026 has already generated $577 million in permanent losses. A DeFi investment portfolio with an aggregated return of 5.5% faces catastrophic drawdown risks that this yield cannot cover at all.

DeFi is not uninvestable, but it is mispriced at the surface level. Institutional-grade opportunities do exist, but they are only available to fund allocators who either meet this framework's risk premium or can underwrite specific protocols individually as they would do in private credit. The so-called "lazy trading" — depositing stablecoins into top currency markets and accepting their published yields — is essentially just a disguised carry trade masquerading as a risk-free rate.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。