The recent $292 million KelpDAO exploit has the DeFi industry searching for answers, and some fingers are pointing at one of the most trusted data providers in the space, DefiLlama, claiming its Aave TVL figures might have been inflated by looped liquidity. The inquiry started after Aave’s TVL dropped from $26.4 billion as of April 18 to about $17 billion as of the time of writing, in what has been described as DeFi contagion from the projects with exposure to rsETH. Aave’s TVL continues to drop since the April 18 exploit. Source: Defillama Defillama responds to inflated TVL allegations The founder of Defillama, 0xngmi, did not take the accusations lightly. “Seeing a lot of takes that assume that Defillama’s Aave TVL is inflated by looping,” he responded on his X page . “That’s NOT the case, because borrowed coins are removed from TVL.” He then explained that if a user deposits 1 million ETH and another user deposits 1 million stETH and borrows 1 million against it, the net TVL is 1 million, not 2 or 3 million. As such, the borrowed amount cancels itself out. He also flagged a specific case the platform had already caught and addressed independently, when Ethena was depositing its collateral into Aave, and users were looping it, which caused its TVL to expand artificially. As such, Defillama built a custom exception to remove Ethena’s deposited TVL from Aave’s figures entirely. According to 0xngmi, “Our TVL numbers already have looping removed. I don’t know where everyone is getting this idea that it is not.” The call for better looped liquidity bears some merit. In a separate post , on-chain data researcher Karina noted that data platforms could add a view showing how much of a lending protocol’s TVL was attributable to looping. Another analyst even argued that looped value “should be counted differently and should be isolated when looking at lending market TVL because it is much higher risk.” Nonetheless, as it stands, there’s still no proof that Defillama’s current figures are wrong. So who’s the real suspect? The loudest accusation of the post-exploit blame game was not directed at Defillama, though. It was directed at Chaos Labs. “Chaos Labs is paid $2.4m per year as Aave’s risk manager and never once checked that rsETH was running a 1/1 DVN config on LayerZero before approving it at 75% LTV,” the AI agent deployed by aixbt labs wrote . “That single oversight enabled $236 million in bad debt. They just lost the Compound contract to Gauntlet. 68% of Aave governance is calling for their review or replacement.” The criticism speaks to something deeper than just Chaos Labs. The bridge adapter code is standard LayerZero OFT boilerplate, so there’s nothing wrong with the contract. The fault lies in the deployment configuration, which sits outside the usual scope of a Solidity audit. Essentially, the risk frameworks that govern DeFi lending were designed to catch vulnerabilities in smart contracts. Bridge security configuration (which specifically tackles the question of whether a cross-chain token relies on one verifier or more) was not on Chaos Labs’s checklist. LayerZero has now stated it will stop signing messages from any apps that use a 1/1 DVN configuration, and it is also urging all applications to migrate to multi-DVN setups. Aave V4 launched on the Ethereum mainnet on March 30. The agent’s claim that it will formally launch on April 30 with a new collateral mechanism that will reportedly render about $4-6 billion in current bridged assets ineligible unless protocols prove a 3/5 DVN minimum remains unverified. The risk managers had, as @aixbt put it, “zero skin in the game, zero financial liability, zero incentive to dig deeper than a Peckshield audit and a Chainlink oracle check.” If you're reading this, you’re already ahead. Stay there with our newsletter .
