The War Room Notes: Running Katana Through DeFi’s Worst Week Since FTX
By Matthew Fisher, CEO, Katana
“DeFi will not be lifeless. DeFi is United.” is the rallying cry following the decision of the $292 million Kelp exploit on April 19 that renewed the highlight on DeFi’s most seasoned enemy: Lazarus Group, whose estimated 2025 earnings of $1.5bn account for a couple of p.c of North Korea’s GDP.
AI corporations needed to be taught that they weren’t simply constructing software program – they had been constructing techniques with real-world penalties. The regulatory and reputational strain that adopted modified how the very best ones operated. DeFi is having the identical reckoning, quicker, and with no regulatory forcing perform. It has to come back from the founders. Beyond restoration funds, we have to unite on baseline safety necessities that permit establishments to underwrite the chance of interacting on-chain.
DeFi’s composability is a blessing and a curse. Whether it’s by means of technical safety failures or governance assaults, typically all it takes is one piece of infrastructure to fail and set off cascading liquidity stress assessments throughout the whole ecosystem. The transparency in DeFi makes these occasions public, and the settlement finality makes it close to immediate. TradFi credit score markets, alternatively, are resolved over months, with covenant renegotiations and off-chain authorized recourse dealt with privately.
By Sunday April nineteenth, public bulletins circulated that KelpDAO had misplaced $292 million to an assault on its LayerZero bridge. Lending markets from Aave to Spark to Fluid had been frozen, and the whole trade was staring on the similar query: what’s truly nonetheless standing?
To discover a solution to that, we have to look again at what these 72 hours actually seemed like from inside Katana.
The simple name
By 3:30 PM EST Saturday, a lot of the staff was monitoring the scenario. And by 7 PM EST Saturday, our safety staff had paused LayerZero integrations throughout our stack out of an abundance of warning. We don’t use 1/N DVNs in our LZ operations, however we paused anyway. That was earlier than anybody outdoors a small group of groups knew what had gone flawed. We didn’t know both. We knew sufficient.
The lesson isn’t “we made an amazing name.” It’s that having safe processes in place to pause one thing at 7 PM on a Saturday has to exist earlier than Saturday. If the default setting is “look ahead to consensus,” you lose the window.
Liquidity beneath strain
Once LayerZero was paused, the following 48 hours had been about liquidity.
A variety of DeFi is within the enterprise of optimizing for yield. Curators compete on APY, LPs chase APY, the entire system runs on charges. The drawback is that yield-optimized capital is, by definition, parked in no matter was paying the very best final week. When stress hits and LPs need out, yield-optimized vaults can’t meet all withdrawals, as a result of their capital isn’t sitting the place withdrawals occur. It’s sitting the place the yield was.
We optimized for liquidity final week. We labored to actively tune Morpho vault parameters on the Katana and Vault Bridge vaults so our institutional companions and retail distributors may pull dimension in the event that they wanted to. Some of them did. They acquired served in hours, not days. Some didn’t have to, however figuring out they may was a part of why they didn’t. We imagine this strategy displays the type of operational reliability that institutional companions worth.
Elsewhere in DeFi, Aave paused its rsETH markets throughout this era. Euler was reported to be working at capability. A variety of venues that seemed positive on a chart per week in the past turned out to be working skinny sufficient that they couldn’t take up this shock.
The curation name we made months in the past
We had no publicity to rsETH, because it by no means met our inner requirements for institutional-grade markets. And that was the decision we made months in the past, consciously.
This is the half that doesn’t present up in a postmortem. Curation isn’t thrilling. It’s a collection of small, boring choices about what to not embrace, made lengthy earlier than anybody is aware of why they mattered. The venues that survive this type of week are principally those that stated no to issues final October that may have blown them up on 10/10.
Morpho’s design on Katana helps too. Markets are remoted. An issue in a single doesn’t propagate to the others. Contrast that with a pooled design like Aave V3, the place this week’s rsETH publicity ended up pressuring markets that had nothing to do with KelpDAO. Architecture shapes what contagion can do.
The basis that held
Katana makes use of Vault Bridge to connect with Ethereum and the remainder of the Agglayer ecosystem. While a committee exists for bridge upgrades, it doesn’t depend on a committee of signers for transaction verification. Instead, it makes use of onchain ZK proofs as its verification mechanism. The math is the verification. Agglayer’s pessimistic proof layer is designed so {that a} chain can solely withdraw what’s truly been deposited. Infinite mint, the failure mode behind the KelpDAO exploit and different prior high-profile bridge incidents involving Polkadot, BNB and Wormhole, is structurally designed to be prevented by this structure. As with any know-how, no structure can assure immunity from all assault vectors, however we imagine this design meaningfully reduces the assault floor in comparison with multisig and committee-based options.
That structure signifies a better diploma of confidence beneath stress. Many establishments wished to right away derisk, and re-underwrite later. When I instructed institutional companions this week that Katana was open and their funds had been accessible, that was true as a result of the infrastructure beneath us was designed to carry up beneath strain, not as a result of we had been counting on an offchain setup to carry up beneath strain.
The duct tape I discussed on the high – by which I imply one-of-one verifiers, two-of-three signers, and multi-layer RPC dependencies that a lot of the trade nonetheless depends on – is the alternative of this. The purpose it retains failing isn’t that the groups working it are unhealthy. It’s that the mannequin is flawed for the setting we’re in now.
What this week truly taught us
Curation self-discipline is the only highest-leverage factor an operator can do. The choices made six months in the past about what to incorporate and what to reject are the explanation we had a relaxed weekend as a substitute of a catastrophic one. And the institutional relationships now we have developed over the previous six months are a purpose Katana started the week as a liquid venue and continued servicing 8 determine redemptions all through the week. The fast impression is outflows and lack of TVL, the long run impression is elevated belief in Morpho on Katana and good points in TVL.
Liquidity is a posture, not a quantity. A venue is simply as liquid as its willingness to carry capital the place redemptions truly occur, which is sort of by no means the identical place as the place yield occurs.
The duct tape has been tearing at an accelerating charge for eighteen months. Any operator nonetheless constructing on high of it’s betting the attackers will steer clear of their particular nook. I wouldn’t take that wager.
What should change now
The trade isn’t simply diagnosing the issue. Some are already constructing the repair. All have choices to make.
It is clear that one-of-one DVN verifiers are a factor of the previous. Less apparent how asset issuers implement guard rails. Among others issues, you can think about solely needing 1-of-N signers to pause a contract, however 5-of-6 signers to unpauase. Ethena’s has a Layer Zero implementation that makes use of customized charge limits that throttle cross chain transfers at $10m per hour for each DVN, and have a $10m per block charge restrict on the mint contract.
A core choice founders must make is the trade-off between consumer expertise and secure guarders. As the founding father of Ethena remarks, “Yes it’s a barely annoying inconvenience for customers 99% of the time, however a worthwhile commerce off to keep away from going to zero.”
Curation tiers will formalize and turn out to be extra clear to the market. The distinction between prime and high-yield DeFi publicity — which subtle curators have been making informally for some time — will turn out to be extra express and legible to institutional allocators.
Innovation in institutional insurance coverage merchandise is coming quickly. One implementation could also be to construct insurance coverage into lending venues that drive customers to opt-out of insurance coverage, moderately than forcing them to go to a 3rd social gathering with costly charges overlaying a minimal floor space.
The founder base will consolidate round individuals who perceive what they’re truly constructing. There’s a model of this trade the place DeFi is handled as a software program drawback. Ship quick, iterate, patch later. The mannequin doesn’t work while you’re constructing finance. Finance runs on belief and safety is a core a part of it. The obligations are completely different. The value of being flawed isn’t a rollback – it’s everlasting loss, at scale, with no recourse. The protocols nonetheless standing in two years can be run by founders who internalized that distinction early.
The KelpDAO staff is making progress and dealing by means of this example with the help from broader trade individuals. I hope they land properly. But the following Kelp-level incident is already being deliberate someplace, and the operators nonetheless standing a 12 months from now would be the ones who took this week critically.
We took it critically. We’ll hold taking it critically.
The put up The War Room Notes: Running Katana Through DeFi’s Worst Week Since FTX appeared first on BeInCrypto.
