TL;DR
Onchain lending has organized itself into three distinct architectures. Monolithic (unified-pool) protocols like Aave, Compound, and Spark aggregate all deposits of an asset into one reserve and let borrowers draw against shared liquidity. Modular platforms like Morpho, Euler, and Kamino split lending into isolated markets and vaults, with third-party curators picking which collateral to underwrite and at what rate. Vertically integrated CeDeFi platforms like Maple, Pareto, and Wildcat combine onchain capital formation with offchain underwriting, legal agreements, and negotiated liquidations.
No architecture wins outright. Each compresses a different trade-off between liquidity depth, risk isolation, permissionless access, and enforceability. Matching the right architecture to the risk being underwritten — continuous price risk, hybrid/jump risk, or credit risk — is the more useful question than "which will eat the others."
The April 2026 Aave / Kelp incident made the architectural trade-offs unusually visible in a short window. It is the cleanest worked example in DeFi's history of what happens when a pooled model underprices concentrated collateral risk, and it is also the event that showed risk management matters more than architecture.
Why this is not a style argument
Lending architecture sounds like a design preference until it becomes the reason your deposit is illiquid for a week. In the first quarter of 2026, over $500M was lost across the Drift and Kelp exploits, with the Kelp fallout alone contributing Aave's worst weekly outflow on record at −$8.67B and a multi-day period where every major lending reserve (USDC, USDT, DAI, USDe, WETH) was pinned at 100% utilization. During that window, depositors were not earning a reasonable premium over Treasuries and could not withdraw. A Treasury yield and a liquid deposit were, for practical purposes, safer and more liquid.
The harder question these events force is: what exactly is a depositor underwriting when they supply to a money market? The answer is not the same across architectures. Understanding the difference is the first step to pricing the risk correctly, whether you are supplying capital or building the protocol.
1. Monolithic: Unified Pool Lending
How it works. Every supplier of an asset deposits into one reserve. Every borrower draws from that same reserve, pledging collateral from an approved list. One utilization curve, one supply APR, one borrow APR. Risk parameters (LTVs, liquidation thresholds, supply/borrow caps) are set centrally by the protocol and its risk service providers. Examples: Aave V3, Compound III, Spark (SparkLend), the monolithic side of MakerDAO / Sky SparkLend-adjacent markets.
Monolithic / Unified Pool
Aave, Compound, Spark
- Deep shared liquidity bootstrapped quickly
- Simple UX — one deposit, one borrow, one rate
- Permissionless access at scale
- Works well when collateral set is small and risk is continuous (BTC, ETH, stables)
- All suppliers earn the same APR regardless of what their capital ultimately finances
- Collateral concentration can build invisibly over time
- Loss socialization: bad debt affects all suppliers of the borrowed asset
- Emergency parameter changes can displace risk into adjacent markets rather than eliminating it
The deep insight from the April 2026 Kelp incident is that pooled lending systematically undercompensates depositors for concentration risk they cannot see. On Aave, 98.5% of the collateral backing WETH borrows came from ETH LSTs ($5.43B of $5.52B), with the top 10 borrowers holding $3.65B of WETH debt — 65.4% of all WETH borrows — levered into higher-yielding LSTs. Aave's ETH reserve was not financing a diversified book. It was primarily funding a concentrated LST carry trade. But every ETH supplier earned the same pool APR, whether their capital was financing vanilla borrowing or a highly levered rsETH loop. When the loss waterfall is looper equity → Umbrella safety module → aWETH depositors, ETH suppliers are effectively a third-loss position on a concentrated strategy — yet they were priced as senior lenders to a diversified book.
The same unified-pool architecture can behave very differently depending on how it is managed. SparkLend deprecated rsETH in January 2026 (before the exploit), rate-limits supply and borrow caps to prevent explosive exposure growth, and maintained over $350M of instantly-available USDT liquidity throughout the crisis. It captured more net deposit inflows than any other venue in the four days after the incident (+$1.8B), despite running the architecture the Aave post-mortem criticizes. The lesson is that architecture doesn't determine trust — underwriting discipline does. A well-managed monolithic pool can outperform a poorly-curated modular market.
Where monolithic wins
Unified pools remain the best structure for assets whose risk is continuous and estimable: BTC, ETH, the major stablecoins. Price volatility and liquidity are the dominant risks, and both can be modeled well enough that LTVs and liquidation thresholds genuinely protect the pool. Shared liquidity is a real benefit in these assets, and the cross-subsidy across suppliers isn't severe because the underlying risk profiles are similar. The pooled model does exactly what it is designed to do.
Aave v4 as a hybrid response
The interesting wrinkle: Aave itself recognized the problem. v4 introduces Risk Premiums, which make borrow rates partially user-specific based on the collateral backing the loan. Combined with the hub-and-spoke architecture and more isolated markets, v4 moves toward granular risk pricing inside what is still branded as a unified pool. If execution on v4 migration is strong, it removes the cross-subsidy that made the April 2026 incident's depositor impact so broad — without giving up the liquidity advantages of a shared pool. In practice, v4 is "modular-like pricing in a unified-pool wrapper."
2. Modular: Isolated Markets and Curated Vaults
How it works. The protocol provides market infrastructure, not a single pool. Anyone can create a market defining its collateral, loan asset, LTV, and oracle — permissionlessly. Capital is aggregated in vaults managed by curators (independent risk specialists) who allocate deposits across markets based on their underwriting views. Lenders choose which curator to trust and therefore which risk profile they are taking. Examples: Morpho (Blue + MetaMorpho vaults), Euler V2, Kamino Lend.
Modular / Isolated Markets
Morpho, Euler, Kamino
- Risk is isolated per market — bad debt in one market does not socialize to others
- Lenders opt in to specific collateral exposures and return expectations
- Curators compete on underwriting quality, creating a market for risk management itself
- Partner vaults let external platforms (Coinbase, wallets) embed bespoke strategies
- User must evaluate who they trust as curator — more cognitive load
- Fragmented liquidity can limit the scale of any individual market
- Loss propagation through correlated exposures still happens (Resolv USR exploit hit ~15 Morpho vaults simultaneously, March 2026)
- Quality depends on curator incentive alignment, which varies
Modular's key promise is that the price of risk finds its clearing level. If a curator wants to fund an LST carry trade at 93% LTV, they can — but lenders who don't want that exposure can put their capital in a different vault with different underwriting. Rate competition between curators does what the monolithic model's central risk committee tries to do, just with more granularity. On Morpho, lenders required materially higher APRs to fund LST loops than Aave's pooled rate, which naturally limited the scale of those strategies on that platform.
Modularity is not the same as safety. The Resolv USR exploit in March 2026 demonstrated that isolating risk at the market level doesn't prevent correlated exposures across vaults. Roughly fifteen Morpho vaults with non-trivial USR exposure were affected simultaneously. The loss was bounded per vault, but the contagion footprint was broad. What modular prevents is loss socialization. It does not prevent loss propagation through correlated underwriting decisions.
Where modular wins
Modular platforms are the natural home for assets with hybrid or discrete risk profiles: LSTs, LRTs, bridged assets, long-tail tokens, RWAs. These carry jump risk from protocol, bridge, or smart-contract failures that unified pools cannot price without capping exposure so tightly that the market never builds. Permissionless market creation lets specialists (curators with deep knowledge of a specific asset type) price that jump risk accurately, and the isolation means a failure in one market doesn't contaminate the broader liquidity pool.
3. CeDeFi: Vertically Integrated Credit
How it works. Capital is raised onchain. Underwriting happens offchain with real counterparties, real legal agreements, and real credit analysis. Loans can be undercollateralized or uncollateralized, backed by the borrower's business rather than pledged crypto. Defaults can trigger negotiated restructurings or non-atomic liquidations rather than the instant-liquidation assumption of onchain-only protocols. Examples: Maple Finance (institutional crypto credit), Pareto Credit (structured credit products), Wildcat Finance (bespoke bilateral agreements).
Vertically Integrated CeDeFi
Maple, Pareto, Wildcat
- Clear attribution: one entity underwrites, one party bears reputational risk
- Legal recourse — off-chain enforcement if contracts break
- Can support undercollateralized credit (the biggest market in traditional finance)
- Negotiated liquidations handle collateral that cannot be sold instantly (RWAs, private credit)
- Users trust a single underwriter — concentrated counterparty risk
- Smaller pools, less permissionless than DeFi natives
- Regulatory exposure is higher because the underwriter is identifiable
- Transparency is hybrid — onchain capital, offchain loan details
CeDeFi looks like a retreat from DeFi principles only if you view DeFi as a monolithic ideology. It is better viewed as a segmentation: when the collateral being lent against cannot be instantly priced or liquidated (real-world assets, private credit, institutional receivables), the instant-liquidation model cannot work and forcing it creates bad outcomes. A negotiated restructuring with a legally identifiable counterparty is a better default for that kind of exposure. Maple, Pareto, and Wildcat are betting that as DeFi scales into credit markets that look more like traditional finance, the vertically integrated model will capture that share even if pure-DeFi lending remains larger in aggregate.
Where CeDeFi wins
Bespoke and institutional credit, structured products, undercollateralized lending, RWA-backed loans. Anywhere the counterparty matters as much as the collateral, and anywhere legal enforceability is part of the product. CeDeFi is also the model that most easily integrates with compliance and regulatory requirements, which matters for capital allocators who cannot deploy into fully-permissionless systems.
Matching architecture to risk
The most useful framing from the post-Kelp reflection is that different parts of the risk spectrum want different architectures. Trying to force one architecture to cover the whole spectrum is how concentration builds invisibly in monolithic pools, or how modular markets fragment so badly that none of them have useful liquidity, or how CeDeFi platforms try to serve retail users who really should be in a permissionless pool.
| Risk type | Dominant driver | Best-fit architecture | Example assets / use cases |
|---|---|---|---|
| Continuous price risk | Market volatility, liquidity depth | Monolithic unified pool | BTC, ETH, USDC, USDT, DAI |
| Hybrid / jump risk | Protocol failure, bridge compromise, smart contract exploit, depeg | Modular isolated markets with specialist curators | LSTs, LRTs, bridged assets, long-tail tokens, yield-bearing derivatives |
| Credit risk (undercollateralized or RWA-backed) | Counterparty default, legal enforcement, non-liquid collateral | Vertically integrated CeDeFi | Institutional crypto lending, private credit, receivables, real-world assets |
The empirical frontier (utilization vs yield)
The three-way architecture split shows up cleanly in capital deployment. Across the Oct 2024 – Nov 2025 observation window, the six major lending systems separate by architecture into distinct utilization / fee-yield bands (data from Anastasiia @mathy_research, April 2026 Vault Summit empirical paper). Higher mean utilization is associated with higher annualized fee yield at the protocol balance sheet — an observable risk-yield frontier — but the bands themselves reflect architectural choice:
| Protocol | Architecture | Mean capital utilization | Annualized fee yield |
|---|---|---|---|
| Silo V2 | Modular, isolated markets | ~0.97 | ~8.1% |
| Euler V2 | Modular, isolated vaults | ~0.84 | ~6.2% |
| Maple | CeDeFi (offchain underwriting) | ~0.60–0.65 | ~3.7–4.1% |
| Gearbox | CeDeFi-adjacent (whitelisted margin) | ~0.60–0.65 | ~3.7–4.1% |
| Morpho (Blue) | Modular, permissionless markets | ~0.58–0.67 | ~3.2–4.1% |
| Aave V3 | Monolithic unified pool | ~0.58–0.67 | ~3.2–4.1% |
Three things worth noticing:
- The isolated-market protocols (Silo, Euler) sit closest to the frontier. Near-full capital deployment is consistent with designs that confine liquidation risk to specific collateral sets, letting individual markets be parameterized more aggressively without exposing the whole system. That's the theoretical case for modular, showing up in the balance-sheet numbers.
- Aave and Morpho — despite opposite architectures — land in the same band. Both prioritize solvency and broad user safety over maximum turnover. This is the empirical reminder of the Spark vs Aave lesson from the Kelp incident: architecture alone doesn't determine capital efficiency or risk, underwriting discipline does.
- Higher yield is not free. Silo's ~8.1% comes with the concentration risk embedded in isolated markets being easier to over-lever; Aave's ~3.2–4.1% reflects the conservative parameterization and broad collateral diversification that a unified pool enforces. Neither is "better" outside the context of what a specific depositor is trying to underwrite.
TVL-based statistics reflect both price movements and net flows, so these figures capture a combined signal of market beta and liquidity dynamics. Credit to Anastasiia's paper for the measurement methodology and the full cross-protocol dataset.
Questions to ask before you deposit
The same set of questions translates across all three architectures. What changes is which answers are good enough for you.
What happens next
The most reasonable expectation is not that one architecture displaces the others. It is that the lending market structure segments:
- Unified pools will continue to dominate the top of the risk curve — BTC, ETH, and major stables. Protocols with the best risk management (Spark-style pre-deprecation, rate-limited caps, liquidity discipline) will outperform protocols with looser frameworks, even at the same architecture.
- Modular will absorb more of the long-tail and hybrid-risk curve: LSTs, LRTs, PT-tokens, bridged assets, new-asset bootstrapping. Curator reputation and vault track records will become their own evaluation criteria, similar to how allocators evaluate credit fund managers in TradFi.
- CeDeFi will continue expanding into credit that can't exist in the other two models: institutional lending, RWAs, structured products, undercollateralized credit. This is where the biggest absolute dollar volumes of traditional finance live, so CeDeFi's ceiling is probably the highest — but it will grow slowly because each new vertical requires real underwriting infrastructure.
The Aave v4 bet is that a unified-pool protocol can blur the line by adopting modular-style Risk Premiums inside its own architecture. If it works, it's a real defense of the incumbent liquidity moat. If execution stalls, the current deposit-share erosion continues and modular platforms + Spark-style disciplined monoliths pick up the freed capital.
There is no "right" lending architecture, only the right architecture for a given risk. The most honest way to evaluate a lending venue is not by its category but by the five questions above. A disciplined monolithic pool (Spark) can outperform a sloppy modular platform. A well-curated modular vault can outperform a dominant but concentrated monolithic pool. A reputable CeDeFi underwriter can be safer than either for credit that doesn't fit a permissionless model. The April 2026 Kelp / Aave incident didn't settle the architectural debate — it reframed the question as "who is underwriting this, with what discipline, against what concentration?"