What is the fair interest rate for DeFi? Don't deposit if it's lower than this number!

Original Author: Tom Dunleavy, Venture Capital Lead at Varys Capital

Compiled by Odaily (@OdailyChina);

Translated by Azuma (@azuma_eth)

One week ago, the rsETH bridge protocol built by KelpDAO on LayerZero was hacked, resulting in a loss of up to $292 million. Subsequently, the stolen rsETH was deposited into Aave as collateral, leaving approximately $196 million in bad debt on Aave's books, which in turn contributed to a $13 billion evaporation in total value locked (TVL) across the DeFi market.

Two weeks prior to that, the derivatives protocol Drift Protocol on Solana also suffered a $285 million loss due to a private key leak caused by a social engineering attack by North Korean hackers.

These two incidents within three weeks resulted in a permanent loss of $577 million. The USDC market on Aave experienced over 99.87% utilization for four consecutive days, with deposit rates surging to 12.4%. Circle's Chief Economist, Gordon Liao, subsequently proposed a governance motion to quadruple the borrowing limit, simply to alleviate the queue.

For users accustomed to depositing stablecoins in DeFi lending markets at rates of 4% - 6%, a critical question arises: Are these yields still reasonable? Santiago R Santos raised this question on a Blockworks podcast just weeks before the Kelp DAO incident, and it warrants deep discussion: Have we been adequately compensated for the DeFi risks we've assumed, and what should a reasonable risk spread be in the future?

How Traditional Finance Prices Credit Risk

The yield on every corporate bond is a sum of multiple compensations. The most crucial formula for the analysis in this article is: Yield = Risk-Free Rate + (Probability of Default × Loss Given Default) + Risk Premium + Liquidity Premium.

The Risk-Free Rate (Rf) is benchmarked against the yield of a comparable-maturity U.S. Treasury bond. "Probability of Default × Loss Given Default" (PD × LGD) represents the expected loss, where LGD is calculated as "1 - Recovery Rate." The risk premium compensates for the uncertainty of the expected loss – even if two bonds have the same PD and LGD, they will be priced differently if the distribution of potential outcomes is wider. The liquidity premium compensates for exit costs.

Moody's long-term data since 1920 provides us with benchmarks:

• U.S. speculative-grade bond default rate: Long-term annual average of 4.5%; currently 3.2% over the past 12 months, projected to rise to 4.1% by Q1 2026.
• Unsecured high-yield bond recovery rate: Historically ~40%, implying LGD ≈ 60%.
• Expected loss on high-yield bonds: 4.5% × 60% = 2.7%/year (long-term average).
• Private credit default rate: KBRA estimates 3.0% for 2026.
• Private credit recovery rate: ~48% (KBRA 2023-2024 data).
• Secured leveraged loan recovery rate: Historically ~65%–75%.

Current Yield Ladder in Traditional Finance

Let's look at the actual current data. The 10-year U.S. Treasury yield is 4.29%. As of April 2026, the spreads for various ICE BofA credit assets are as follows.

The overall pattern is intuitive: yields increase progressively as you move down the capital structure from government bonds to investment grade, speculative grade, and subordinated commercial real estate, compensating for higher default probability and loss severity. Direct lending yields are around 9%, not because default rates are significantly higher, but because the liquidity premium for holding illiquid private assets is real.

Now, consider the USDC rate on Aave prior to the Kelp DAO incident, which was approximately 5.5%. This sits between investment grade and single-B high-yield bonds. Meanwhile, yields on Morpho (which employs curated vaults for manager selection) were around 10.4%. These two numbers cannot simultaneously be correct for the same underlying risk.

DeFi Features 'Defaults' That Don't Exist in Traditional Finance

Traditional credit default is relatively straightforward: a borrower defaults, creditors can accelerate debt maturity, pursue restructuring, and sell assets. DeFi has no restructuring mechanism; it only has exploits. There are three primary failure modes.

Mode 1: Smart Contract Vulnerabilities

The code has flaws (reentrancy attacks, improper input validation, missing access controls, etc.), and an attacker drains the funds. Historical recovery rate: ~5%–15% if returned by white hats; ~0% if taken by North Korean hackers.

The Poly Network (2021) attacker returning all $611 million is an extreme outlier. Losses at Ronin ($625 million) and Wormhole ($325 million) were reimbursed by project teams/institutions, constituting shareholder bailouts, not recoveries.

Mode 2: Oracle Manipulation and Governance Attacks

Manipulating low-liquidity DEX pools to corrupt price feeds, or using a governance attack to pass a malicious proposal that empties protocol funds. Beanstalk lost $182 million this way in 2022. Some events of this type are partially reversible, but claims often end up being against 'worthless tokens'.

Mode 3: Composability Cascading Impact

This was KelpDAO's failure mode, and it's the most dangerous because it's the hardest to audit.

• Protocol A issues LST/restaking tokens.
• Protocol B accepts them as collateral.
• Protocol C handles cross-chain bridging.

If any single component fails, all downstream assets become 'orphaned'. An attacker doesn't need to attack Aave; they just need to attack rsETH.

The common thread across all three modes is that when a problem occurs, the collapse happens in minutes, not quarters. No negotiation, no restructuring, no buffer. Code is law, and a bug in the code means near-total loss. Aave V3's rsETH bad debt went from $0 to $196 million in about 4 hours. In contrast, the median time from stress signals to restructuring for a traditional BB-rated default is 14 months.

What Do The Loss Data Reveal?

Chainalysis's 2025 report notes an interesting phenomenon: despite DeFi's TVL growing from $40 billion in early 2024 to approximately $175 billion by October 2025, specific DeFi attack losses were near their 2023 lows. The $3.4 billion in crypto thefts in 2025 were primarily from CEXs (Bybit alone accounting for $1.5 billion) and personal wallets (44% vs. only 7% in 2022).

If you only look at this chart, you might conclude DeFi is becoming safer. This is partially correct. Smart contract auditing has matured; bug bounty programs like Immunefi now protect over $100 billion in user funds; cross-chain bridge architectures are gradually adopting time locks and multi-party validation.

But the reality of 2026 tells a different story. On April 1st, Drift lost $285 million; on April 18th, KelpDAO lost $292 million. Two nine-figure events in 18 days, both targeting weak points in composability rather than core lending primitives. Based on average TVL, the annualized loss rates for DeFi in recent years are roughly as follows.

• 2024: ~$500M DeFi-specific loss / $75B avg TVL = 0.67% annualized loss rate.
• 2025: ~$600M / $120B avg TVL = 0.50% annualized loss rate.
• 2026 YTD (annualized): If annualized from Q2 losses, ~$577M / $95B TVL * 4 = ~2.0% to 2.5%.

If we assume a forward-looking annualized probability of default (PD) for high-quality DeFi lending of 1.5% to 2.0%, and a loss given default (LGD) of 90% (average recovery for direct exploits is 5% to 15% without an external balance sheet to backstop losses), the expected loss is 1.35% to 1.80% per year.

This level already exceeds high-yield (HY) bonds, and this doesn't account for additional premiums for uncertainty, illiquidity, regulatory asymmetry, and the inherent contagion structure of composability.

Building DeFi Risk Premium from Scratch

From here, we apply modern bond pricing methods to try and determine a reasonable yield for a high-quality DeFi stablecoin deposit – specifically, over-collateralized lending in USDC on Ethereum mainnet to retail and quantitative borrowers through protocols like Aave or Compound.

As shown in the figure above, we start from the 10-year U.S. Treasury benchmark and build up the reasonable yield. The framework is based on the Duffie-Singleton credit spread decomposition, adjusted for DeFi-specific failure modes.

The components of this pricing model are as follows:

• Risk-Free Rate (10Y UST): +4.30%.
• Technical Expected Loss (PD × LGD): +1.50%.
• Oracle Manipulation Risk: +0.75%.
• Governance / Admin Key Risk: +1.00%.
• Composability Cascade Risk (like Kelp DAO): +1.25%.
• Regulatory Asymmetry Risk: +1.25%.
• Stablecoin De-pegging Tail Risk: +0.50%.
• Liquidity Premium: +0.50%.
• Risk Premium (Model Uncertainty): +1.50%.

The final derived reasonable yield is at least 12.55%.

Therefore, for high-quality DeFi stablecoin supply on top-tier protocols, a reasonable rate should be no less than 13%. For positions with explicit insurance coverage (e.g., covered by Nexus Mutual, Umbrella-style protocol reserves), it could be lower. For long-tail protocols, newly deployed markets, or exposures involving restaking and cross-chain structures, it should be higher.

Conclusion

Ultimately, our conclusions are as follows.

First, demand reasonable compensation. If you are lending USDC in DeFi at 5%, you are effectively pricing a risk profile that is technically and composability-wise worse than a CCC-rated credit at a BB-rated credit price. The 9% to 12% yields on curated vault markets like Morpho are closer to a fair clearing price, although they introduce their own issues related to manager selection and transparency.

Second, move up the capital structure. Over-collateralized lending against high-quality collateral (ETH, wBTC, market-proven LSTs), with oracle redundancy, protocol-level insurance layers, and no cross-chain exposure, carries a significantly lower risk premium than the framework above. If accessible directly, this is the equivalent of an 'investment-grade asset' in DeFi.

Third, correctly price tail risk. The KelpDAO attack was not a black swan; it was a foreseeable failure mode within a multi-chain, restaking structure. The Drift event was essentially the same, with different actors. Q2 2026 has already produced $577 million in permanent losses. A DeFi portfolio yielding a blended 5.5% has a catastrophic tail risk that this yield cannot possibly cover.

DeFi is not uninvestable; it is mispriced at the top of the stack. Institutional-grade opportunities do exist, but only for capital allocators who either demand risk premiums consistent with this framework or underwrite specific protocols individually, much like they would treat private credit. That 'lazy trade' – depositing stablecoins into a top-tier money market and accepting its published yield – is essentially a carry trade dressed up as a risk-free rate.