Aave founder pushes back on $8.45B run, says “third-party” caused DeFi’s weak spots

Aave’s founder Stani Kulechov tried to shift the focus after a massive “bank run” on the protocol. In CoinDesk’s coverage, Kulechov blamed “third-party” entities for the vulnerabilities exposed by decentralized finance.

That argument runs into friction with what independent data shows, according to CoinDesk. The same reporting points to “severe gaps” in Aave’s own risk architecture.

Who Kulechov blamed, and why it matters

Kulechov’s central claim, as summarized by CoinDesk, is that DeFi’s weaknesses come from actors outside the protocol itself. In other words, the protocol’s stress did not originate from its core risk machinery alone.

That distinction matters because “third-party” explanations can cover a lot of ground. It can mean integrations, upstream services, or other parts of the DeFi stack that are not strictly the Aave smart contracts. It also sets up where responsibility should land if regulators or institutional risk teams start asking harder questions.

But the bigger question is whether those external factors were the only weak link.

Independent data challenges the resilience narrative

CoinDesk’s reporting says independent data highlights severe gaps in Aave’s own risk architecture. That directly undercuts the headline idea of “resilience.”

Risk architecture is not marketing language. It is the system that governs how borrowing and liquidity risks get priced, constrained, and managed under stress. If independent data finds gaps there, then a “third-party” defense does not fully answer what failed inside the protocol.

There is a practical consequence for users and counterparties. When risk controls do not behave as expected during extreme events, even the most active liquidity venues can become foot-guns. Assets in Aave are still assets with risk, and stress events can expose fragility fast.

The political problem: decentralized finance’s accountability maze

Kulechov’s “third-party” framing highlights a common accountability maze in DeFi. Protocol creators can argue they built the core system, but outages, exploits, or run dynamics can involve multiple layers: front ends, indexers, custody, wallets, or other integrations.

CoinDesk’s report, however, suggests the story is not cleanly external. The independent data it cites points back to Aave’s own risk design.

So the dispute is not just technical. It is about control. If the core risk architecture needs changes, governance deadlines and parameter tuning become the real battlefield.

What to watch next

CoinDesk’s piece is a reminder that “resilience” is not a one-time property. After a large bank run, the debate usually turns to specifics: what metrics were supposed to kick in, what constraints were meant to slow the bleeding, and what actually happened.

For readers tracking regulation and DeFi oversight, the takeaway is simple. When a founder blames outside entities, regulators and risk teams will still want the protocol’s internal risk story documented. If independent data shows “severe gaps,” that creates pressure for governance action, not just narrative cleanup.

Aave sits at the center of large pools of borrowed and lent assets. When a stress event reaches multi-billion-dollar scale, every explanation has to survive contact with the risk architecture, not just the blame game.