What is the fair interest rate for DeFi? Don't deposit below this number!

Original Author: Tom Dunleavy, Venture Capital Lead at Varys Capital

Compiled by Odaily (@OdailyChina);

Translator: Azuma (@azuma_eth)

A week ago, KelpDAO's rsETH bridge protocol, built on LayerZero, suffered a hack resulting in losses of $292 million. The stolen rsETH was subsequently deposited into Aave as collateral, leaving Aave with approximately $196 million in bad debt and triggering a $13 billion evaporation in total DeFi TVL.

Two weeks prior, Drift Protocol, a derivatives protocol on Solana, also lost $285 million due to a key leak caused by a social engineering attack from North Korean hackers.

These two incidents within three weeks caused a permanent loss of $577 million. USDC utilization on Aave remained above 99.87% for four consecutive days, with deposit rates spiking to 12.4%. Circle's Chief Economist, Gordon Liao, subsequently proposed a governance proposal to quadruple the borrowing cap, merely to alleviate the queue.

For users accustomed to earning 4%-6% yields by depositing stablecoins into DeFi lending markets, a critical question now arises — Are these yields still reasonable? Santiago R Santos raised this question on the Blockworks podcast a few weeks before the KelpDAO incident, and it warrants a deeper exploration: Have we been adequately compensated for the DeFi risks we've taken, and what should be a reasonable spread going forward?

How Traditional Finance Prices Credit Risk

The yield of every corporate bond is the sum of several risk premiums. The most critical formula for the analysis in this article is: Yield = Risk-Free Rate + (Default Probability × Loss Given Default) + Risk Premium + Liquidity Premium.

The Risk-Free Rate (Rf) is benchmarked against US Treasuries of matching maturity. “Default Probability × Loss Given Default” (PD × LGD) represents the expected loss, where LGD is calculated as “1 - Recovery Rate”. The Risk Premium compensates for the uncertainty of the expected loss — even if two bonds have the same PD and LGD, they will be priced differently if the distribution of potential outcomes is wider. The Liquidity Premium compensates for exit costs.

Long-term data from Moody's since 1920 provides a benchmark:

• US Speculative-Grade Default Rate: Long-term annual average of 4.5%; currently 3.2% over the past 12 months, projected to rise to 4.1% by Q1 2026;
• Unsecured High-Yield Bond Recovery Rate: Historically ~40%, corresponding to LGD ≈ 60%;
• High-Yield Bond Expected Loss: 4.5% × 60% = 2.7% per year (long-term average);
• Private Credit Default Rate: KBRA estimates 3.0% for 2026;
• Private Credit Recovery Rate: ~48% (KBRA 2023-2024 data); 
• Secured Leveraged Loan Recovery Rate: Historically ~65%–75%;

Current Traditional Finance Yield Ladder

Let's look at the current actual data. The 10-year US Treasury yield is 4.29%. As of April 2026, the spreads for various ICE BofA credit asset classes are as follows.

The overall pattern is intuitive: Yields increase as you move down the capital structure from government bonds to investment grade, then to speculative grade and sub-commercial real estate, compensating for higher default probability and loss severity. Direct lending yields are around 9%, not because default rates are significantly higher, but because holding illiquid private assets commands a genuine liquidity premium.

Now look at the USDC rates on Aave before the KelpDAO event, which were roughly 5.5%, a spread between investment-grade and B-rated high-yield bonds. Meanwhile, yields on Morpho (with curated vaults and manager screening) were around 10.4%. Both figures cannot accurately reflect the same underlying risk.

DeFi Has “Defaults” That Don't Exist in Traditional Finance

Traditional credit default is relatively straightforward: the borrower defaults, and the creditor can accelerate the debt's maturity, leading to restructuring and asset disposition. DeFi has no restructuring mechanism, only exploits. There are three main failure modes.

Mode 1: Smart Contract Vulnerabilities

Code has flaws (reentrancy attacks, input validation errors, lack of access control, etc.), allowing attackers to drain funds. Historical recovery rates: roughly 5%–15% if white hat hackers return funds; nearly 0% if North Korean hackers are involved.

The Poly Network (2021) attacker returning all $611 million is an extreme outlier. Losses from Ronin ($625 million) and Wormhole ($325 million) were covered by project teams / institutions, which is essentially shareholder bailouts, not recoveries.

Mode 2: Oracle Manipulation and Governance Attacks

Manipulating low-liquidity DEX pools to corrupt price sources, or governance attacks using malicious proposals to drain funds. Beanstalk lost $182 million this way in 2022. Such events are sometimes reversible, but creditors often end up with claims on “worthless tokens”.

Mode 3: Composability Contagion

This was KelpDAO's failure mode and the most dangerous because it is the hardest to audit.

• Protocol A issues LST / restaking tokens;
• Protocol B accepts them as collateral;
• Protocol C handles cross-chain bridging;

If any single component fails, all downstream assets become “orphaned”. Attackers don't need to target Aave; they only need to target rsETH.

What these three modes have in common is that once a problem occurs, the collapse happens in minutes, not quarters. There is no negotiation, no restructuring, no buffer. Code is law, and when the code is flawed, it means near-total loss. Bad debt for rsETH on Aave V3 went from $0 to $196 million in roughly 4 hours. In contrast, the median time from initial distress signals to restructuring for a traditional BB-rated default is 14 months.

What the Loss Data Reveals

A 2025 report from Chainalysis highlights an interesting phenomenon: While DeFi TVL grew from $40 billion in early 2024 to ~$175 billion by October 2025, specific DeFi attack losses approached the lows of 2023. The $3.4 billion in crypto theft in 2025 primarily stemmed from CEXs (Bybit alone accounted for $1.5 billion) and personal wallets (44%, up from just 7% in 2022).

If you only look at this chart, you might conclude that DeFi is becoming safer. This is partially true. Smart contract auditing has matured; bug bounty programs like Immunefi now protect over $100 billion in user funds; cross-chain bridge architectures are gradually implementing timelocks and multi-party verification.

However, the reality of 2026 tells a different story. On April 1st, Drift lost $285 million; on April 18th, KelpDAO lost $292 million. Two nine-figure incidents in 18 days, both targeting the fragility of composability rather than core lending primitives. Based on average TVL, the annualized loss rate for DeFi in recent years looks roughly like this:

• 2024: ~$500 million DeFi-specific losses / $75 billion avg. TVL = 0.67% annualized loss rate;
• 2025: ~$600 million / $120 billion avg. TVL = 0.50% annualized loss rate;
• 2026 YTD (annualized): Extrapolating from Q2 losses, ~$577 million / $95 billion TVL * 4 = approximately 2.0% to 2.5%;

If we assign a forward-looking annualized default probability (PD) of 1.5% to 2.0% to high-quality DeFi lending, and a Loss Given Default (LGD) of 90% (assuming average recovery from direct exploits is 5% to 15% without external balance sheet backstops), then the expected loss is 1.35% to 1.80% per year.

This level already exceeds high-yield (HY) bonds, and this doesn't even account for the additional premium required for uncertainty, illiquidity, regulatory asymmetry, and the structural contagion risk inherent in composability.

Building a DeFi Risk Premium from the Ground Up

From this point onward, we will apply a bond pricing approach to estimate a reasonable yield for a high-quality DeFi stablecoin deposit. Specifically, this refers to overcollateralized lending on Ethereum mainnet via Aave or Compound to retail and quantitative borrowers, denominated in USDC.

As illustrated above, starting from the 10-year US Treasury benchmark, we build up a reasonable yield. The framework is based on the Duffie-Singleton credit spread decomposition, adapted for DeFi's unique failure modes.

The components of this pricing model are as follows:

• Risk-Free Rate (10Y UST): +4.30%;
• Technical Expected Loss (PD × LGD): +1.50%;
• Oracle Manipulation Risk: +0.75%;
• Governance / Admin Key Risk: +1.00%;
• Composability Cascade Risk (similar to KelpDAO): +1.25%;
• Regulatory Asymmetry Risk: +1.25%;
• Stablecoin De-pegging Tail Risk: +0.50%;
• Liquidity Premium: +0.50%;
• Risk Premium (Model Uncertainty): +1.50%;

The final derived reasonable yield is at least 12.55%.

Therefore, for high-quality DeFi stablecoin supply on leading protocols, a reasonable interest rate should be no less than 13%. For positions with explicit insurance coverage (e.g., covered by Nexus Mutual, Umbrella-type protocol reserves), rates could be lower. For long-tail protocols, newly deployed markets, or exposures involving restaking and cross-chain structures, rates should be higher.

Conclusion

In summary, our conclusions are as follows.

First, demand reasonable compensation. If you lend USDC in DeFi at 5%, you are effectively pricing a risk that is technically and compositionally worse than CCC-grade at a BB-grade credit spread. The 9% to 12% yields on curated vault markets like Morpho are closer to a fair clearing price, although they introduce their own issues of manager selection and transparency.

Second, move up the capital structure. Overcollateralized lending based on high-quality collateral (ETH, wBTC, market-tested LSTs), with oracle redundancy, protocol-level insurance layers, and no cross-chain exposure, carries a significantly lower risk premium than the framework above. If directly accessible, this represents the “investment-grade assets” of DeFi.

Third, price tail risk correctly. The KelpDAO attack was not a black swan; it was a predictable failure mode within multi-chain, restaking structures. The Drift incident was fundamentally similar, just with different participants. Q2 2026 has already seen $577 million in permanent losses. A DeFi portfolio yielding a composite 5.5% has a catastrophic drawdown risk that this yield cannot cover.

DeFi is not uninvestable; it is mispriced at the top of the stack. Institutional-grade opportunities do exist, but only for capital allocators willing to either pay the risk premium outlined in this framework or underwrite specific protocols on a case-by-case basis, much like private credit. What is often called a “lazy trade” — depositing stablecoins into a top-tier money market and accepting its advertised yield — is essentially a carry trade disguised as a risk-free rate.