%201%20(3).png)
By Andrei Poliakov, Founder and CEO, APX Lending
On Saturday, April 18, 2026, Aave had its worst day on record.
To understand why that matters, and why it should matter to anyone borrowing against Bitcoin or Ethereum, it helps to start with how DeFi lending actually works.
A 60-second primer on DeFi lending
DeFi, short for decentralized finance, is lending run by code instead of by a company. Users deposit stablecoins (like USDC) or other crypto into a lending pool. Other users put up crypto as collateral and borrow from that pool. An algorithm sets the interest rates based on supply and demand. There is no CEO, no customer service line, and no credit team. When things go right, rates are competitive and transactions settle in minutes because lenders and borrowers are matching like in a P2P lending marketplace, except by an algorithm. When things go wrong, there is no one to call. The code executes what it is told to execute, and if it was told something wrong, the losses land wherever they land.
Aave is the largest DeFi lender in the world, with over $26 billion of deposits last Friday. What happened this weekend is a masterclass in how their model broke.
What happened, in plain language
Kelp is a DeFi protocol that takes your Ethereum, puts it to work earning staking yield, and gives you back a token called rsETH in the meantime. Think of rsETH as an IOU: it represents your ETH deposit, and you can redeem it for real ETH later. That rsETH token itself can be moved between different blockchains using a system called a bridge, which locks tokens on one chain and releases a matching amount on another.
On Saturday, an attacker found a flaw in Kelp's bridge and tricked it into releasing 116,500 rsETH to themselves, worth $292 million and about 18 percent of the entire supply, without anything being locked in return. In effect, they counterfeited $292 million of IOUs out of thin air.
Then came the clever part. The attacker did not try to sell the counterfeit rsETH. They deposited it into Aave as collateral and borrowed real Ethereum against it, roughly 80,000 ETH worth $196 million. By the time Aave's emergency team froze the platform, the attacker was gone with the real ETH. The code did exactly what it was told to do. The problem was it was told to accept rsETH as collateral. A human mistake.
Kelp loses $292 million. Before the hack, every rsETH was backed 1-to-1 by real ETH staked at Kelp. After the hack, the supply was inflated by 18 percent but the backing was not. Every rsETH in existence, including tokens held by people who bought them legitimately months ago, is now only partially backed. The token's market price collapses accordingly.
Aave loses up to $196 million. The attacker walked out with 80,000 real ETH they will never repay. The "collateral" Aave is holding, the counterfeit rsETH, cannot be sold or redeemed for anywhere close to $196 million because its backing has been destroyed. Aave depositors absorb the loss.
The immediate reaction
Over the weekend, panicked depositors pulled $9.4 billion out of Aave. Deposits fell from $26.4 billion to around $17 billion. The AAVE token fell close to 20 percent. Every dollar of ETH that had been deposited on Aave was lent out or withdrawn. Anyone who tried to withdraw was told to wait. No one knew for how long. A classic run-on-the-bank scenario. Everyone wanted to get their deposited ETH out first. No one wanted to be the last person standing when there was no more ETH left to distribute.
The good news is that Aave has a safety insurance fund called Umbrella, designed for exactly this scenario. The bad news is it only holds about $50 million, and the bad debt is roughly $196 million. That leaves a $146 million gap that someone has to fill.
What happens next at Aave
Aave will recover something from the rsETH collateral it still holds, either by redeeming it at Kelp or selling it on the open market. But with rsETH's backing destroyed and its market price well below peg, any recovery will be at a steep discount. It will soften the damage, not erase it.
The rest of the losses will have to come from somewhere. Depositors who staked into the Umbrella fund itself (which they did because it paid extra interest in exchange for absorbing risk) will likely lose their deposits, covering about $50 million. Ordinary ETH depositors may lose a portion of their deposits to cover whatever remains. AAVE token holders could be cut. The community might vote to pay from the treasury. Might.
The 3 hidden costs of cheapest rates
Most people compare lending rates on a spreadsheet. On paper, DeFi usually wins. In practice, the headline rate leaves out three costs that only show up under stress, and stress.
The wrong framing
I am not saying that CeFi lenders are better than DeFi solutions across the board. The centralized side of the industry has its own graveyard: Celsius, Voyager, BlockFi, FTX, BlockFills. What failed there was not centralization itself but opaque rehypothecation, where a lender quietly redeployed customer collateral into yield-bearing positions that blew up under stress (or in certain cases, simple theft). What failed at Aave this weekend was different in mechanism but similar in effect. Aave did not reuse anyone's collateral. Aave accepted a collateral token whose backing was a claim from a bridge that turned out to be forgeable. Different failure mode, similar result for borrowers.
What I'm saying is simply that the idea that DeFi is inherently safer because no central party can steal your funds is inherently wrong. The incentive to breach a DeFi protocol sits in public view at all times, denominated in billions. Attackers are constantly trying, and sometimes they win. In those cases, borrowers lose.
The right framing
The real question is not DeFi versus CeFi. The real question is whether your collateral is transparent, segregated, and insulated from someone else's bad day.
APX is built on that question. Every Bitcoin or Ethereum we take as collateral sits in cold storage at BitGo Trust, one of the most regulated custodians in the industry. The wallet address holding the Bitcoin that backs your specific loan is visible from your APX dashboard and on the blockchain 24/7. You can open a blockchain explorer and verify the balance independently of us, at any time. We do not rehypothecate your Bitcoin. It is not relent. It is not reused. It does not become someone else's collateral in a stack of tokens whose backing you cannot audit. And we are approved and report into the Canadian Securities Administrators. Your Bitcoin also remains legally yours for the entire life of the loan. We take a security interest in it, the way a bank takes a lien on a house, but legal title never transfers to us. Our rates start at 9.99%, fixed for the life of the loan. They do not move to 15% because a bridge got exploited on a Saturday. You can repay on a known schedule with no spikes in smart contract fees, no pool limits, and no queue.
DeFi rates may be cheaper in a best-case calm week but the premium is what you pay for knowing and seeing your collateral still there on the worst day.
Balance, not purity
I am not telling anyone to avoid DeFi. I am saying the prudent move for any serious borrower is not to put all your holdings in the cheapest basket. It is to spread exposure across venues. Some capital where you want DeFi's rates, knowing the tail risk is a misconfiguration buried three protocols deep. Some capital where the custody is segregated, visible on-chain, regulated, and insulated. Chasing the lowest rate across your entire book is not a portfolio. It is a concentrated bet that nothing will break. If that resonates, the APX team would welcome a conversation. We will walk you through exactly where your collateral would sit, how to verify it on-chain yourself, and what our structure looks like under the hood.
Book a call with our team today
APX Lending is a crypto-backed lender operating in the US, Canada, and globally. APX Lending does not offer financial or tax advice. We strongly encourage you to consult with a certified financial or tax professional for guidance on any related inquiries you may have.
By Andrei Poliakov, Founder and CEO, APX Lending
On Saturday, April 18, 2026, Aave had its worst day on record.
To understand why that matters, and why it should matter to anyone borrowing against Bitcoin or Ethereum, it helps to start with how DeFi lending actually works.
A 60-second primer on DeFi lending
DeFi, short for decentralized finance, is lending run by code instead of by a company. Users deposit stablecoins (like USDC) or other crypto into a lending pool. Other users put up crypto as collateral and borrow from that pool. An algorithm sets the interest rates based on supply and demand. There is no CEO, no customer service line, and no credit team. When things go right, rates are competitive and transactions settle in minutes because lenders and borrowers are matching like in a P2P lending marketplace, except by an algorithm. When things go wrong, there is no one to call. The code executes what it is told to execute, and if it was told something wrong, the losses land wherever they land.
Aave is the largest DeFi lender in the world, with over $26 billion of deposits last Friday. What happened this weekend is a masterclass in how their model broke.
What happened, in plain language
Kelp is a DeFi protocol that takes your Ethereum, puts it to work earning staking yield, and gives you back a token called rsETH in the meantime. Think of rsETH as an IOU: it represents your ETH deposit, and you can redeem it for real ETH later. That rsETH token itself can be moved between different blockchains using a system called a bridge, which locks tokens on one chain and releases a matching amount on another.
On Saturday, an attacker found a flaw in Kelp's bridge and tricked it into releasing 116,500 rsETH to themselves, worth $292 million and about 18 percent of the entire supply, without anything being locked in return. In effect, they counterfeited $292 million of IOUs out of thin air.
Then came the clever part. The attacker did not try to sell the counterfeit rsETH. They deposited it into Aave as collateral and borrowed real Ethereum against it, roughly 80,000 ETH worth $196 million. By the time Aave's emergency team froze the platform, the attacker was gone with the real ETH. The code did exactly what it was told to do. The problem was it was told to accept rsETH as collateral. A human mistake.
Kelp loses $292 million. Before the hack, every rsETH was backed 1-to-1 by real ETH staked at Kelp. After the hack, the supply was inflated by 18 percent but the backing was not. Every rsETH in existence, including tokens held by people who bought them legitimately months ago, is now only partially backed. The token's market price collapses accordingly.
Aave loses up to $196 million. The attacker walked out with 80,000 real ETH they will never repay. The "collateral" Aave is holding, the counterfeit rsETH, cannot be sold or redeemed for anywhere close to $196 million because its backing has been destroyed. Aave depositors absorb the loss.
The immediate reaction
Over the weekend, panicked depositors pulled $9.4 billion out of Aave. Deposits fell from $26.4 billion to around $17 billion. The AAVE token fell close to 20 percent. Every dollar of ETH that had been deposited on Aave was lent out or withdrawn. Anyone who tried to withdraw was told to wait. No one knew for how long. A classic run-on-the-bank scenario. Everyone wanted to get their deposited ETH out first. No one wanted to be the last person standing when there was no more ETH left to distribute.
The good news is that Aave has a safety insurance fund called Umbrella, designed for exactly this scenario. The bad news is it only holds about $50 million, and the bad debt is roughly $196 million. That leaves a $146 million gap that someone has to fill.
What happens next at Aave
Aave will recover something from the rsETH collateral it still holds, either by redeeming it at Kelp or selling it on the open market. But with rsETH's backing destroyed and its market price well below peg, any recovery will be at a steep discount. It will soften the damage, not erase it.
The rest of the losses will have to come from somewhere. Depositors who staked into the Umbrella fund itself (which they did because it paid extra interest in exchange for absorbing risk) will likely lose their deposits, covering about $50 million. Ordinary ETH depositors may lose a portion of their deposits to cover whatever remains. AAVE token holders could be cut. The community might vote to pay from the treasury. Might.
The 3 hidden costs of cheapest rates
Most people compare lending rates on a spreadsheet. On paper, DeFi usually wins. In practice, the headline rate leaves out three costs that only show up under stress, and stress.
The wrong framing
I am not saying that CeFi lenders are better than DeFi solutions across the board. The centralized side of the industry has its own graveyard: Celsius, Voyager, BlockFi, FTX, BlockFills. What failed there was not centralization itself but opaque rehypothecation, where a lender quietly redeployed customer collateral into yield-bearing positions that blew up under stress (or in certain cases, simple theft). What failed at Aave this weekend was different in mechanism but similar in effect. Aave did not reuse anyone's collateral. Aave accepted a collateral token whose backing was a claim from a bridge that turned out to be forgeable. Different failure mode, similar result for borrowers.
What I'm saying is simply that the idea that DeFi is inherently safer because no central party can steal your funds is inherently wrong. The incentive to breach a DeFi protocol sits in public view at all times, denominated in billions. Attackers are constantly trying, and sometimes they win. In those cases, borrowers lose.
The right framing
The real question is not DeFi versus CeFi. The real question is whether your collateral is transparent, segregated, and insulated from someone else's bad day.
APX is built on that question. Every Bitcoin or Ethereum we take as collateral sits in cold storage at BitGo Trust, one of the most regulated custodians in the industry. The wallet address holding the Bitcoin that backs your specific loan is visible from your APX dashboard and on the blockchain 24/7. You can open a blockchain explorer and verify the balance independently of us, at any time. We do not rehypothecate your Bitcoin. It is not relent. It is not reused. It does not become someone else's collateral in a stack of tokens whose backing you cannot audit. And we are approved and report into the Canadian Securities Administrators. Your Bitcoin also remains legally yours for the entire life of the loan. We take a security interest in it, the way a bank takes a lien on a house, but legal title never transfers to us. Our rates start at 9.99%, fixed for the life of the loan. They do not move to 15% because a bridge got exploited on a Saturday. You can repay on a known schedule with no spikes in smart contract fees, no pool limits, and no queue.
DeFi rates may be cheaper in a best-case calm week but the premium is what you pay for knowing and seeing your collateral still there on the worst day.
Balance, not purity
I am not telling anyone to avoid DeFi. I am saying the prudent move for any serious borrower is not to put all your holdings in the cheapest basket. It is to spread exposure across venues. Some capital where you want DeFi's rates, knowing the tail risk is a misconfiguration buried three protocols deep. Some capital where the custody is segregated, visible on-chain, regulated, and insulated. Chasing the lowest rate across your entire book is not a portfolio. It is a concentrated bet that nothing will break. If that resonates, the APX team would welcome a conversation. We will walk you through exactly where your collateral would sit, how to verify it on-chain yourself, and what our structure looks like under the hood.
Book a call with our team today
APX Lending is a crypto-backed lender operating in the US, Canada, and globally. APX Lending does not offer financial or tax advice. We strongly encourage you to consult with a certified financial or tax professional for guidance on any related inquiries you may have.
.png)
.webp)
