$13 Billion Walked Out of DeFi This Weekend
I bought a small position in Aave on Friday. (impeccable timing as you’ll see…)
The case was straightforward on the numbers.
Aave is the dominant lending platform in decentralized finance, generating roughly $130 million in annualized revenue, holding $320 million in treasury, and capturing close to three-quarters of all lending revenue in the sector. Total value locked had just hit an all-time high.
If you strip away the crypto context and look at the financials the way you’d look at any other cash-generating business, the multiples looked reasonable and the market position looked durable.
By Saturday afternoon, an attack on infrastructure connected to Aave had cut my position by 20%. By Sunday morning, I had closed it and was rethinking how I think about this entire asset class.
The trade itself matters less than what it taught me about where accountability actually lives in this asset class.
What Happened
Aave is one of the largest lending platforms in crypto.
Users deposit assets, others borrow against them, and the protocol earns fees on the flow. On paper, it looks like a cash-generating business with real revenue and a long operating history. That was the pitch I was buying on Friday.
Over the weekend, attackers exploited a piece of infrastructure that connects to Aave but isn’t built by Aave. They created $292 million in fraudulent collateral on a separate piece of plumbing, deposited it on Aave, and borrowed real assets against it. Aave itself was never compromised. The protocol’s code performed exactly as it was designed to perform. The fraudulent collateral is now sitting in Aave’s lending pool with nothing behind it.
The response was instant. More than $8 billion walked out of Aave in 48 hours.
Roughly $5 billion in stablecoin deposits are currently frozen, not because anyone froze them, but because the withdrawal pools ran empty as users rushed the exit. The AAVE token dropped~20% in 48 hours.
The depositors who couldn’t access their money didn’t find much comfort in the distinction between “Aave got hacked” and “a piece of infrastructure connected to Aave got hacked.” The functional result for them was the same.
This Isn’t a One-Off
The Aave event caps a stretch in which DeFi-related losses have already passed $750 million for the year, with nearly three-quarters of that concentrated in just two incidents.
The pattern across the ledger is the interesting part. In every major incident this year, the underlying blockchain worked exactly as designed. What failed was the layer around the blockchain: cross-chain bridges, cloud security keys, employee devices, domain registrations, oracle data feeds. The code held up, but the operational systems sitting on top of the code did not.
That inverts the way most people talk about crypto risk.
The technology works, though the human and infrastructure systems wrapped around it are where the exposure actually lives, and those systems have no referee, no insurance, and no one to call when things go wrong.
Why This Matters for Allocation
When a bank fails, the FDIC shows up. When a broker goes insolvent, SIPC steps in. When a fund manager makes a mistake, there’s a regulated custodian, an independent auditor, and a compliance function behind them.
None of those systems are perfect, though they all exist because every serious financial system eventually learns that someone needs to be on the hook when things go wrong.
DeFi removed those intermediaries by design…that was kinda supposed to be the feature. “Be your own bank", they said.
The cost is that when something goes wrong, there’s no one to call. Aave’s backstop, if its emergency reserve runs short, is a vote among governance token holders. That mechanism has worked before, and it has also failed before. The variance is the risk.
The better trade, for investors trying to build crypto exposure into a serious portfolio, sits one layer above the protocols themselves.
Publicly traded intermediaries are increasingly using blockchain as plumbing while wrapping it in the compliance, custody, and legal accountability that institutional investors require.
Coinbase loans powered by smart contracts underneath.
BlackRock’s tokenized money market funds.
Apollo deploying private credit onchain.
The underlying infrastructure is the same across all of them, though what changes is the accountability wrapper, and the accountability wrapper is what determines whether a position belongs in a serious allocation.
BUFFETT FRAMEWORK QUESTION
“If this position collapses tomorrow, who do I call, and who is legally on the hook?”
If the answer is “a governance forum,” the return may still be worth the risk, but the risk is different from what it looks like on paper, and the position sizing should probably reflect that difference.
Where This Leaves Me
Nothing that happened this weekend changed my view of the underlying technology, which continues to perform as designed.
What became harder to ignore is the gap between the technology and the retail consumer product version of it, where individual users interact directly with permissionless protocols and there is genuinely no one on the hook when something goes wrong.
The picks and shovels trade in this cycle, in my reading, looks less like owning the protocols themselves and more like owning the regulated intermediaries building products on top of them like Coinbase and (soon to be Kraken). The asset managers running spot crypto ETFs. The Apollos and Bitwises making tokenization work for institutional allocators. The banks and custodians quietly integrating blockchain into their existing financial infrastructure.
Those businesses have phone numbers. They have shareholders. They have fiduciary duties. They’re the ones I’d build a serious allocation around.
Aave itself will probably recover. The AAVE token may well be a reasonable trade from here for someone with the right risk tolerance and time horizon, though it isn’t the position I’d want anchoring the crypto sleeve of a diversified portfolio.
2026 has been rampant with hacks and with the proliferation of AI tools and nefarious actors. I expect more to come unfortunately, so to that end it’s important you stay vigilant when using DeFi products and never leave so much on a platform to earn yield that another event like this would wipe you out.
Stay safe out there fam. 💙
Matthew Snider is the founder of Block3 Strategy Group, author of “Warren Buffett in a Web3 World,” and publisher of the BitFinance newsletter. He holds a Series 65 and MBA, and has been an active participant in digital asset markets since 2015. This article is for educational purposes only and should not be considered financial advice. Always consult with a qualified professional before making investment decisions.