Tiger Research: DeFi Lending Is Becoming Modular, But the Risk Isn't

This article is written by Tiger Research. As institutional investors enter the on-chain lending market, DeFi is moving away from a single shared liquidity pool architecture towards a new structure featuring risk isolation and specialized operational layers.

Key Takeaways

• The Lehman crisis and the Kelp DAO incident exposed the same structural flaw: a single shared liquidity pool architecture amplifies the risk of a single asset, turning it into a systemic crisis. Traditional finance's response was to separate each functional layer of the financial system.
• The DeFi ecosystem is moving in the same direction, building a modular architecture centered on risk isolation.
• This shift has accelerated as RWA assets begin to flow on-chain.
• In a modular architecture, the ability of the operational layer, which actually manages the product, becomes a key differentiating factor.

1. The Lesson of the Lehman Crisis

In September 2008, the collapse of Lehman Brothers triggered an unprecedented crisis, with the Reserve Primary Fund (RPF), the third-largest money market fund globally, suspending all redemptions in a single day.

At the time, RPF's investment in Lehman Brothers debt only accounted for 1.2% of its assets under management. Lehman Brothers' bankruptcy made this 1.2% of debt unrecoverable, causing the fund's total asset value to fall from 100% of par to 98.8%. This was enough to break the money market fund industry's fundamental principle of maintaining a fixed net asset value of $1 per share. The fund's per-share value dropped below $1, to $0.97.

After the principal loss emerged, panic spread almost immediately. Fear that waiting would lead to greater losses triggered an unprecedented bank run, with redemption requests reaching $40 billion within two days. Unable to withstand such immense pressure, the fund froze its assets and stopped all withdrawals.

The Lehman Brothers bankruptcy forced a comprehensive restructuring of traditional capital markets. In the money market fund space, guidelines for risk-tiered liquidity buffers and redemption limits were thoroughly reformed. In the hedge fund space, the industry learned from the lesson of Lehman’s rehypothecation risk, where a single prime broker centrally held client assets.

Consequently, assets and credit were no longer concentrated with a single intermediary but were structurally adjusted. Separating execution infrastructure from risk management and distributing risk exposure across multiple prime brokers became the global standard for risk isolation. It was on this institutional guarantee of separating infrastructure from risk to contain contagion that the asset management industry was able to rebuild operational trust and resume growth.

2. How Traditional Capital Markets Solved This Problem

In 2014, the U.S. Securities and Exchange Commission restructured the money market fund (MMF) framework. Funds were classified based on their capital nature, with different standards applying to each class. This aimed to prevent a run or bankruptcy in one fund class from spilling over into other fund types or the entire system, with each class having its own dedicated buffer mechanism.

The core philosophy behind traditional finance's risk control methods is separation. Power is dispersed to avoid risk concentration in any single link, and independent verification is introduced at every stage of capital flow.

The prime brokerage business in capital markets best exemplifies this principle. Investment decisions rest with the hedge fund, while risk oversight is exercised by the broker. These two functions are deliberately separated. In traditional lending markets, the same logic applies: credit assessment, underwriting, collateral management, and custody are handled by different, independent institutions.

However, when asset management and lending began migrating to DeFi, the multi-layered intermediary structure built by traditional finance was compressed into a single layer. Early DeFi protocols focused on eliminating the intermediaries required for this separation, encoding the relevant mechanisms directly into smart contracts and automating processes previously handled by multiple parties.

3. From Shared Pools to Modular Architecture

Early DeFi's approach of compressing all lending mechanisms into a single smart contract lowered intermediary costs but also concentrated all risks within a single protocol. Since credit assessment, underwriting, and collateral management ran on the same codebase rather than as independent functions, a default or liquidation failure for a single asset could directly paralyze the entire system's liquidity.

This potential contagion risk forced protocol governance to conservatively set risk parameters. Assets with short track records or high volatility, and anything other than Bitcoin and Ethereum, were structurally excluded from collateral eligibility. Compressing functions into a single contract ironically led to reduced capital efficiency: asset diversity was limited, and market access was constrained.

Silo Finance addressed the risk concentration of unified pools by introducing independent lending pools for each asset. By confining price manipulation or value crashes within a single collateral pool and preventing risk from spreading to other pools, Silo demonstrated that governance approval thresholds could be lowered and new lending markets penetrated more quickly. This architecture showed that a single large pool could be broken up and risks isolated at the market level, also laying the groundwork for subsequent hierarchical modular structures.

This modular system, pioneered by Silo, became the foundational standard for on-chain lending, especially as RWA assets, including tokenized treasuries and private credit, began flowing onto the chain en-masse. Each RWA class has fundamental differences in trading hours, oracle reliability, regulatory requirements like KYC and AML, and liquidation procedures. The early shared pool model required managing such diverse assets with a single, uniform set of parameters, which was clearly infeasible.

This influx of real-world assets (RWA) created a need that went beyond simple asset isolation. It required transplanting the complex risk control frameworks of traditional finance into the on-chain environment. As assets diversified, the risks appearing on-chain also became increasingly complex. To control these risks, a structural separation was needed: on one side, an immutable infrastructure layer responsible for liquidation and settlement; on the other, an operational layer with real-time authority to adjust and assume risk parameters.

Early DeFi compressed the middle layer of finance into a single codebase. With the influx of RWAs and the maturation of the lending market, the development path changed: liquidation and settlement efficiency were delegated to the blockchain, while risk oversight authority was separated into an independent layer. To handle increasingly complex assets, on-chain lending ultimately formed an architecture similar to traditional financial systems (e.g., prime brokers and independent credit assessments), where investment and risk monitoring are separated. This modular architecture has become the new standard for the on-chain lending market.

4. Institutional-Grade Risk Isolation and Integration

Although the modular architecture originated within the DeFi ecosystem itself, it coincidentally aligned with the risk control standards demanded by institutional participants.

Morpho's decision to prioritize complete risk isolation at the base infrastructure layer, even at the cost of some capital efficiency, generated institutional demand. This demand became a tipping point, forcing other major lending protocols, especially those initially employing shared pool structures, to develop in the same direction.

4.1 Morpho Blue: The Prime Broker

Morpho initially started as an intermediary layer optimizing interest rates on top of first-generation DeFi lending protocols like Aave and Compound. In this model, it could not exist independently. In 2023, Morpho published the Morpho Blue whitepaper and launched Morpho Blue and Morpho Vaults in early 2024, formally declaring its independent operation.

This shift abandoned the structure where a single governance body made all market risk decisions, separating market creation and risk judgment from the protocol itself. This separation became the structural foundation for institutional participants to select and control risk according to their own compliance standards.

Architecture

• Morpho Blue: An immutable protocol. When a market is created, five parameters are fixed: collateral asset, borrow asset, liquidation loan-to-value ratio (LLTV), price feed, and interest rate model. Anyone can create a market permissionlessly. The protocol itself only executes the pre-written code.
• Morpho Vaults: A risk management layer where independent curators select eligible markets, set supply limits, and allocate funds. Each vault has a unique risk profile.
• Lenders: Depositors with varying risk tolerances, including DAOs, protocols, individuals, and hedge funds, choose vaults aligning with their situation and provide capital.

Traditional prime brokers typically perform four functions: clearing, custody, leverage provision, and risk monitoring. Morpho automates clearing and leverage provision at the protocol level via smart contracts. However, due to its non-custodial structure, it cannot provide the custodial environment institutional investors need to meet regulatory requirements. Thus, integration with external custodians like Coinbase or Anchorage is necessary.

Similarly, risk monitoring depends not on the protocol itself, but on each custodian's ability to select assets and manage risk exposure. This creates a persistent risk: the variable quality of custodians. The xUSD and Stream Finance incidents in 2025 directly exposed this vulnerability. Multiple Morpho vaults held xUSD exposure and incurred bad debt. These events led to much stricter scrutiny of curators' asset selection capabilities and real-time risk management, with institutional capital concentrating on top-performing curators like Steakhouse, Gauntlet, and Sentora.

Traditional brokerage integrates clearing, custody, leverage, and collateral management into one institution. Morpho replaces this with a division-of-labor model, distributing these functions among specialized participants within the ecosystem rather than centralizing them in a single entity.

Institutional adoption is occurring at scale, and it started with centralized exchanges.

• Coinbase: A USDC lending service built on Morpho Blue, curated by Steakhouse Financial.
• Binance: Adopted the same structure, with Steakhouse Financial and Gauntlet as curators.

Users click the 'Lend' button in the Coinbase or Binance app to get a loan. The world's two largest exchanges chose the same architecture. This model has also extended to traditional financial institutions.

• SG-FORGE: Deployed MiCA-compliant stablecoins EURCV and USDCV on Morpho.
• Apollo: Brought the private credit fund ACRED on-chain and used it as collateral on Morpho.
• Bitwise: Manages risk directly on top of Morpho Vaults.

If tokenization opened access to assets, Morpho opened pathways to turn those assets into productive capital. The trajectory Morpho has established is gradually revealing a new evolutionary direction that lending protocols, regardless of their starting point, find difficult to ignore.

4.2 Aave V4: The Universal Bank

Aave, initially named ETHLend as a peer-to-peer lending matching platform, evolved through Versions 1, 2, and 3, gradually transitioning to a shared liquidity pool architecture. In March 2026, Aave activated V4 on the Ethereum mainnet, a modular architecture. Unlike Morpho, which structurally separates infrastructure from operations, Aave V4 chose a hybrid model, controlling risk while maintaining liquidity efficiency.

Aave recognized the trade-off between risk isolation and capital efficiency. Moving towards risk isolation can contain the spread of bad debt but weakens liquidity network effects and reduces capital efficiency. V4's design aims to structurally address this trade-off.

Architecture

• Hub: The core layer consolidating liquidity and accounting. It assigns credit limits and borrow caps to each Spoke, limiting the liquidity extractable by any specific market. Basic risk firewalls consist of these Spoke limits and local parameters.
• Spoke: An independent lending market with unique parameters for each asset. If issues arise in a specific Spoke or asset, governance and risk managers can reduce exposure by adjusting the credit limit for that Spoke, capping new borrowing, or activating emergency controls. Because the maximum risk exposure is fixed by the credit limit, contagion's structural spread is inherently limited by design.

In traditional finance, this structure resembles a universal bank's internal credit limit allocation system. The head office assigns credit limits to each department; when a department faces trouble, the head office adjusts these limits to control the spread. The central Hub plays the role of the head office, while each Spoke operates like an independent business unit. Unlike Morpho's fully isolated model (where capital is strictly locked within each asset pair), this hub-and-spoke structure allows unused liquidity in one Spoke to be flexibly reallocated via the Hub's credit limits to more efficient Spokes. The result is higher capital efficiency.

This structure becomes a significant advantage in the RWA market. Nascent RWA markets often struggle to attract initial liquidity, but in Aave V4, the existing liquidity Hub can act as a seeding mechanism for new Spoke markets. By structuring a tokenized asset as an independent Spoke with a credit limit set on the Hub, the liquidity base of safer assets can be leveraged to launch new asset classes with lower startup costs, while keeping initial exposure within the credit limit.

Institutional adoption primarily revolves around Horizon. Initially a separate RWA lending instance built on Aave v3.3, Horizon's design philosophy is aligned with V4's direction of unified liquidity and risk separation. As Horizon's integration with V4's credit limit structure deepens, it is likely to become even more integrated as Aave's institutional RWA layer.

Horizon is designed to allow regulated tokenized treasuries, money market funds, and institutional funds as collateral for stablecoin borrowing, potentially expanding to asset classes like tokenized equities and ETFs.

Because approved institutional assets within Horizon are connected to the same institutional liquidity layer, any newly added RWA can immediately tap into the existing stablecoin liquidity.

The roles within this liquidity layer are divided as follows:

• Issuer: Manages investor access and KYC/AML allowlisting.
• Risk Manager (LlamaRisk): Handles RWA due diligence, risk frameworks, and parameter recommendations.
• Oracle (Chainlink): Provides on-chain price feeds.
• Protocol (Aave): Executes smart contracts.

In traditional Aave markets, adding a new asset requires deliberation and voting by the DAO governance committee, which slows down the process. Horizon separates these responsibilities: the issuer handles compliance per asset, LlamaRisk handles risk due diligence, and Chainlink handles price verification. This architecture allows for much faster institutional asset onboarding and risk adjustment compared to having all decisions pass through the DAO governance committee.

Morpho minimizes governance involvement and outsources market creation and risk management, choosing speed and optionality; Aave chose a different path, controlling governance delegation and sharing liquidity to maintain capital efficiency.

Both approaches are coherent solutions for transplanting traditional finance's risk allocation principles to the on-chain environment, but it remains to be seen towards which direction the RWA market will ultimately lean.

4.3 Euler V2: The Multi-Strategy Hedge Fund

In March 2023, Euler suffered a $197 million loss. The attack exploited a vulnerability in the smart contract code, and because multiple asset markets were linked within the same protocol's accounting and liquidation structure, the losses spread across several assets.

After approximately three weeks of negotiation, most of the stolen assets were recovered. Nevertheless, Euler chose to rebuild its architecture rather than just patch it, subsequently repositioning itself as a flexible institutional lending infrastructure.

Euler's drive into the RWA and institutional credit market is born from the insufficiency of traditional