Max

By our calculations, $1.33B out of $4.4B of USDe's backing is lending against itself. Here’s the rule we used: Estimated self-lending = gross borrowing against USDe/sUSDe collateral × Ethena’s share of supplied liquidity in that market So if a pool has $556M borrowed against USDe/sUSDe, but @ethena supplies 47.4% of the liquidity, we attribute ~$263M of that as Ethena-funded self-lending. We’re not counting the full amount borrowed against USDe/sUSDe as “self-lending” where @ethena is not the only lender. Using this pro-rata method, we get: - Estimated Ethena self-lending: ~$1.33B - Gross amount borrowed against Ethena assets: ~$1.67B - Difference from pro-rata attribution: ~$336M Sources of data: AAVE: research.yuzu.money/aave-exposures Steakhouse USDtb: #overview" target="_blank" rel="nofollow noopener">app.morpho.org/ethereum/vault… Steakhouse Prime: app.morpho.org/base/vault/0xB… Kamino: kamino.com/earn/lend/ethe… Juplend: jup.ag/lend/ethena/ma… Backing: app.ethena.fi/dashboards/bac…

Today we announced progress toward our goal of advancing 24/7 collateral mobility. DTCC’s Collateral AppChain, a shared infrastructure platform for collateral, will leverage the Chainlink Runtime Environment (CRE) and @chainlink data standard to enable near real-time collateral management across financial markets and blockchains. The integration will enable the seamless pairing of asset prices, valuations, and movement, with the aim of overhauling how market risk is managed globally and unlock greater capital efficiency. This milestone reflects our broader vision to enable 24/7, near real-time collateral management across the global financial system. Read the full announcement: dtcc.com/news/2026/may/…

I’ve been asking myself why has it taken me so long to write this? Ultimately I still carry a huge amount of cognitive dissonance here. In my mind LayerZero the protocol was like Gnosis Safe and the application was setting their config, and who the )@(!$ would secure billions in TVL on a 1/1? I even tweeted about it, literally 0, I would have bet almost anything on that because almost every major application we helped setup their configs. Someone then going and manually changing that to a 1/1 was outside of the realm of possibility for me. I was wrong. It’s easy to sit back and say ‘it’s just a protocol we have no control over how people use it’ but we have the opportunity to be better. There was a conversation this week speaking to a customer and they just… screamed at me, at the top of their lungs, and swore for a solid ~3-5 minutes straight. We had implemented additional security measures of forcing a more stringent RPC quorum and forcing every chain to provide multiple RPCs and we had done it without telling them and it !)@$d with their business, which frankly is a deadly sin. We had messed with their business and they said communication wise we were completely blowing this. They were completely right. This is something I care about a ton, it is both the result of a huge portion of my life and something that I fundamentally believe in. I literally gifted a copy of Unreasonable Hospitality to every single manager in the company. The entire point of what we’ve built is to enable others to build on top of it, it is to provide a protocol and a platform for people to build on, and we’ve been failing some of our largest customers. The past two weeks have been unbelievably miserable. I’m incredibly grateful for all of the applications who have worked with us over the past 2 weeks, for @zeroshadow_io who has spent endless cycles with us tracking and seizing millions in attacker funds which will be returned to the rsETH team, and for all of the parties who brought together DefiUnited. Particularly @aave for leading and @MikeSilagadze for pushing everyone to get their !@)($ together and sort things out as quickly as possible, and putting himself in the frontline of acquisition talks and everything else to try to get to a solution quickly. @LayerZero_Core is one of the most critical pieces of infrastructure in the industry, the LayerZero protocol has earned the trust of the largest and most important asset issuers in the space. We will do better and we will make the industry better for it. My entire focus over the past 2 weeks has singularly been working with applications to harden their setup, building tooling to assist in tracking and freezing hacker funds, and the rsETH recovery efforts. That is going to shift now to where LayerZero Labs spends it's time and effort. The only thing this company will spend time on is how we can better serve our asset issuers and the upcoming launch of Zero.

Following the KelpDAO hack, we built an open analysis of DVN security configurations across every active OApp on LayerZero over the last 90 days. Of ~2,665 unique OApp contracts: 47% run a 1-of-1 DVN security floor, 45% run 2-of-2, and ~5% run 3-of-3 or higher. As we know, KelpDAO's rsETH sat in the first bucket. Open query, public methodology, feedback welcome: dune.com/dune/layerzero…

Update on KelpDAO rsETH: Funds were indeed stolen and not minted. The attack is consistent with a failure in a single-DVN verification setup (@LayerZero_Core), releasing pre-funded rsETH on the destination chain (Ethereum), without any source side (Unichain) debit. Rather than dumping >$200M of rsETH into thin liquidity, the attacker deposited into Aave to borrow WETH, avoiding slippage and extracting immediate WETH liquidity. My original post assumed that these positions were backed. Now we know that collateral did exist on Ethereum and was accepted by Aave, but given the funds were drawn from the bridge’s pre-funded inventory and now KelpDAO has paused withdrawals, my original assumption breaks. If rsETH can’t clear at par, there’s bad debt risk. So, the question now remains: who takes the loss? Aave? (Bad debt) rsETH holders? If Aave ends up with bad debt, this becomes a real stress test for Umbrella. Waiting on Aave, Kelp, and/or LZ comms.