How does DeFi balance risk and return?

Author: Tom Dunleavy

Compiled by: Jiahua, ChainCatcher

The $292 million cross-chain bridge vulnerability on KelpDAO triggered a chain reaction through Aave, draining $13 billion in DeFi TVL within 48 hours.

If you earn a 5% yield on USDC in the money market, the relevant question is not whether DeFi is risky, but whether the risks you are taking are adequately compensated. Let's solve this issue using bond mathematics.

Two weeks ago, attackers stole $292 million from KelpDAO through a compromised LayerZero cross-chain bridge. The stolen rsETH was then redeposited into Aave V3 as collateral, leaving approximately $196 million in bad debt on Aave's balance sheet, with TVL plummeting from $26.4 billion to $17.9 billion in three days.

Two weeks prior to this, Solana's Drift protocol lost $285 million due to the leak of an admin key by North Korean hackers, a social engineering attack that had been planned since the fall of 2025.

In three weeks, the permanent losses from these two incidents totaled $577 million. Aave's USDC market reached a funding utilization rate of 99.87% for four consecutive days, with borrowing rates soaring to 12.4%. Circle's chief economist Gordon Liao submitted a governance proposal to quadruple the borrowing limit, merely to clear the queue of withdrawals.

For someone who was providing stablecoins to the DeFi money market at yields of 4% to 6% a month ago, one question stands out: Were those yields ever reasonable?

Whether we have been adequately compensated for the risks taken in DeFi, and where future spreads should be set, are worth exploring in depth.

How Traditional Finance Prices Risk

The yield on every corporate bond is a sum of risk compensations. The core formula for this derivation is:

Yield = Rf + [PD x LGD] + Risk Premium + Liquidity Premium

Rf is the risk-free rate, benchmarked against government bonds with matched maturities. PD x LGD represents expected loss: the probability of default multiplied by the loss given default, where LGD equals 1 minus the recovery rate.

The risk premium compensates for the uncertainty of expected losses—two bonds with identical PD and LGD will still be priced differently if one has a greater volatility of potential outcomes. The liquidity premium compensates for exit costs.

Long-term data from Moody's since 1920 provides a benchmark:

The long-term average annual default rate for U.S. speculative-grade bonds is 4.5%, currently rolling at 3.2%, expected to rise to 4.1% by Q1 2026. The historical recovery rate for unsecured senior high-yield bonds has concentrated around 40%, with an LGD of about 60%, leading to an expected loss of 2.7% per year for high-yield bonds based on long-term averages.

In private credit, KBRA expects a 3.0% default rate for direct loans by 2026, with a recovery rate of about 48%. The historical recovery rate for senior secured leveraged loans has been between 65% and 75%.

What Today's Market Yields Look Like

Let's look at the actual data today. The 10-year Treasury bond closed at 4.29% on Wednesday. As of April 2026, the option-adjusted spread of the ICE BofA credit stack (a measure of how much more risk a bond carries compared to government bonds) shows:

The pattern is straightforward. From government bonds to investment-grade, then to speculative-grade, and finally to subprime commercial real estate, yields rise incrementally, compensating for increasing probabilities of default and severity of losses.

Direct loan yields are around 9%, not because the underlying borrowers have a higher default rate, but because the liquidity premium for holding illiquid private notes is real and visible.

Now, let's see where Aave's USDC rate was before the Kelp incident—around 5.5%, priced between investment-grade and single-B high-yield bonds.

Morpho aggregates curated managed vaults, yielding around 10.4%. These two numbers cannot simultaneously represent the correct valuation of the same potential risk.

DeFi Has Three Types of "Defaults" Not Found in Traditional Finance

Traditional credit defaults are dull: borrowers fail to pay interest, bondholders trigger acceleration, followed by restructuring, asset sales, and negotiations on recovery amounts.

DeFi lacks this asset disposal process; it faces exploitations. There are three distinctly different failure modes:

Mode 1. Smart Contract Vulnerabilities

Code defects: reentrancy vulnerabilities, input validation errors, lack of access control. Attackers drain the liquidity pool. The historical recovery rate for protocols directly attacked, when white-hat hackers return funds, is between 5% and 15%, while cases involving North Korean hackers are essentially zero.

The attacker of Poly Network in 2021 returned the entire $611 million, which oddly seemed like a pastime. The recoveries of $625 million from Ronin and $325 million from Wormhole occurred because Sky Mavis and Jump Trading backed them with their own balance sheets—this is not asset recovery; it's shareholder bailouts.

Mode 2. Oracle Manipulation and Governance Attacks

Price feeds are compromised, usually through manipulation of liquidity-thin DEX pools, leading to bad debts. Alternatively, attackers accumulate governance tokens and drain the treasury through malicious proposals. Beanstalk lost $182 million in 2022 due to this.

Such attacks can often be partially reversed through protocol-level interventions, but lenders' claims on "assets" often end up being claims on worthless tokens.

Mode 3. Composability Cascading Effects

This is the failure mode of KelpDAO and the most dangerous, as it is the hardest to audit. Protocol A issues liquid staking or re-staking tokens, protocol B accepts those tokens as collateral, and protocol C bridges them to another chain. A vulnerability at any link in the chain can render downstream positions orphaned.

Attackers do not need to breach Aave; they breached rsETH, and Aave's lenders bore the bad debt.

These three modes share a commonality, which distinguishes DeFi from all traditional credit markets: once a problem arises, it can explode within minutes, not over several quarters.

There are no renegotiations of contracts, no DIP financing (debtor-in-possession financing, new financing obtained during bankruptcy protection to maintain operations until restructuring is complete, enjoying priority repayment rights), smart contracts execute directly.

Code is law—when the code fails, the losses are almost catastrophic.

The bad debt on rsETH in Aave V3 skyrocketed from zero to $196 million in just four hours. In contrast, the median time from the first sign of stress to completion of restructuring for BB-rated defaults is 14 months.

Data Says DeFi Has Become Safer? Not So Simple

The traditional narrative begins to falter here. Chainalysis recorded a stunning divergence in its mid-year update for December 2025: despite DeFi's TVL recovering from $40 billion at the beginning of 2024 to about $175 billion at its peak in October 2025, DeFi-specific hacker losses remained near the lows of 2023.

The total of $3.4 billion in cryptocurrency thefts in 2025 was primarily concentrated in centralized exchange vulnerabilities (with Bybit alone accounting for $1.5 billion) and personal wallet leaks (accounting for 44% of the total stolen value, up from 7% in 2022).

Data Source: Chainalysis 2025 and 2026 Cryptocurrency Crime Reports

If you only look at Chart 02, you would conclude that DeFi is becoming safer. This is partially correct: smart contract audits have matured, and bug bounty programs like Immunefi now protect over $100 billion of user funds, while cross-chain bridge architectures are slowly adopting time locks and multi-party verification.

But the records for 2026 tell a different story. On April 1, Drift lost $285 million, and on April 18, KelpDAO lost $292 million, with both incidents of nine-figure losses occurring within 18 days, targeting weaknesses in composability rather than the core lending primitives.

Relative to average TVL, the annualized loss rate for DeFi in recent years has been approximately:

2024: DeFi-specific losses of about $500 million, average TVL of $75 billion = annual loss rate of 0.67%

2025: DeFi-specific losses of about $600 million, average TVL of $120 billion = annual loss rate of 0.50%

From the beginning of 2026 to now (annualized): a single event loss of about $577 million in the second quarter, with TVL at $95 billion = if this pace continues, the potential annual loss rate could reach 2.0% to 2.5%

Assuming a forward annual default probability (PD) for quality DeFi lending of 1.5% to 2.0%, applying a 90% loss given default (LGD)—when there are no external balance sheets willing to backstop—average recovery rates from direct exploitations are 5% to 15%—the expected loss would be 1.35% to 1.80% per year.

This is already higher than high-yield bonds. Moreover, it does not account for uncertainty, illiquidity, regulatory asymmetries, and the premiums arising from the unique structures of composability contagion.

What Should DeFi Yields Be

This is where bond mathematics truly comes into play. I will price the fair yield for hypothetical quality DeFi stablecoin deposits—specifically, over-collateralized lending positions in USDC on Aave or Compound for retail and quantitative borrowers on the Ethereum mainnet.

Building the fair value yield from the 10-year Treasury bond benchmark upwards. The framework follows Duffie-Singleton credit spread decomposition and is adapted for DeFi-specific failure modes.

Details of each component:

Risk composition premium risk-free benchmark (10-year U.S. Treasury) + 4.30% expected loss (probability of default × loss rate) + 1.50% oracle manipulation risk + 0.75% governance/admin key risk + 1.00% cross-chain cascading risk (similar to Kelp events) + 1.25% regulatory asymmetry risk + 1.25% stablecoin de-pegging risk + 0.50% liquidity premium + 0.50% model uncertainty premium + 1.50% = reasonable yield lower limit 12.55%

Therefore, for quality DeFi stablecoin deposits on mainstream protocols, the interest rate floor should not be lower than 13%. Positions with clear insurance (Nexus Mutual coverage, Umbrella-style protocol reserves) can be slightly lower, while those involving long-tail protocols, new deployment markets, or re-staking, cross-chain foundational protocol exposures should be higher.

Core Conclusions

First, demand fair compensation. If you provide USDC to DeFi at a 5% interest rate, you are effectively pricing it at BB-rated credit risk, taking on worse technical and composability risks than CCC-rated.

The yields of 9% to 12% in curated vault markets like Morpho are closer to a fair liquidation price, although they also raise their own issues regarding manager selection and transparency.

Second, move up the capital stack (from senior secured debt to common equity, the higher the repayment priority of the funds, the lower the risk taken).

For over-collateralized lending against blue-chip collateral (ETH, wBTC, proven LSTs), with oracle redundancy, protocol-level insurance, and no cross-chain exposure—this is the true investment grade of DeFi, and the required risk premium will be significantly lower than the estimates in the above framework.

Third, price tail risks correctly.

The KelpDAO vulnerability is not a black swan; it is a foreseeable failure mode in an increasingly fragile multi-chain architecture bridging re-staking foundational protocols. Drift is the same story, just with a different protagonist.

The second quarter of 2026 has already caused $577 million in permanent losses, and a mixed DeFi yield portfolio of 5.5% has catastrophic drawdown risks, which this yield cannot compensate for.

DeFi is not uninvestable; it is just mispriced at the top of the order book. The opportunities for institutions are real, but limited to those who either demand risk premiums supported by frameworks or scrutinize specific protocols with the same rigor as assessing private credit.

The practice of depositing stablecoins into mainstream lending platforms and passively accepting published yields is merely a carry bet disguised as a risk-free rate.