How permissionless money markets replaced banks with smart contracts

‍

There is something quietly revolutionary about the idea that anyone on Earth with an internet connection and a crypto wallet can lend money, earn interest, or take out a loan, all without filling out a single form, without a credit check, without a bank deciding whether they are worthy. No intermediary holds the funds. No human approves the transaction. A few lines of code running on a blockchain handle everything, and they do so twenty-four hours a day, seven days a week, without holidays.

‍

This is not a theoretical vision. It is already happening at scale. As of early 2026, decentralised lending and borrowing protocols collectively manage over forty billion dollars in deposited assets. Aave, Compound, MakerDAO (now Sky), and a growing ecosystem of newer entrants have created an entirely parallel financial system where capital flows are governed by algorithms, collateral ratios, and governance votes rather than loan officers and credit committees.

‍

But the apparent simplicity of "deposit and earn" or "borrow instantly" masks extraordinary complexity underneath. Interest rate models, liquidation engines, oracle dependencies, flash loan mechanics, risk parameter tuning, and governance attack vectors all interact in ways that have already led to spectacular exploits and billions in losses.

‍

This article will walk you through all of it. We will start with the fundamentals, build up to the mechanics, examine the major protocols in depth, and then push into the frontier where under-collateralised lending, modular architectures, and protocol-native stablecoins are reshaping what DeFi lending can be.

‍

‍

Part 1: The Fundamentals

‍

What Is DeFi Lending and Borrowing?

‍

At its core, a DeFi lending protocol is a smart-contract-based money market. Suppliers deposit crypto assets into a shared liquidity pool and earn interest. Borrowers post collateral (typically a different crypto asset) and borrow from that same pool, paying interest on their debt. No counterparty negotiation takes place. The protocol's code enforces the rules, and the blockchain records every state change immutably.

‍

Three properties define DeFi lending:

• Permissionless: Anyone can supply or borrow. There is no application process, no identity verification, and no geographic restrictions enforced by the smart contracts.
• Algorithmic: Interest rates are computed by mathematical functions that respond to real-time supply and demand. When utilisation rises, rates rise automatically.
• Non-custodial: The protocol never "holds" your assets the way a bank does. Your deposit sits in a smart contract on a public blockchain. You can withdraw at any time, subject to available liquidity.

‍

Traditional Lending vs. DeFi Lending

‍

In traditional finance, lending is relationship-based and information-heavy. A borrower applies for a loan. The bank evaluates credit history, income, and existing debts. An underwriter makes a judgment call. This system works, but it has deep limitations: access is gatekept, rates are opaque, settlement is slow, and custody risk is real.

‍

DeFi lending inverts most of these dynamics. Access is open by default. Rates are transparent and algorithmically determined. Settlement is near-instant. And custody remains with the depositor, mediated only by auditable smart contract code.

‍

The tradeoff is that DeFi lending currently cannot assess creditworthiness. Without identity, without credit scores, without legal recourse, the only way a protocol can protect lenders is by demanding that borrowers put up more collateral than they borrow. This is over-collateralisation, and it is the foundation on which everything else is built.

‍

Why Over-Collateralisation Exists

‍

If you borrow $1,000 from Aave, you might need to deposit $1,500 worth of ETH as collateral. This seems counterintuitive. Why would anyone post $1,500 to borrow $1,000? Several reasons:

• Tax efficiency: Borrowing against crypto is not a taxable event in many jurisdictions, whereas selling crypto is.
• Leverage: A trader can deposit ETH, borrow stablecoins, buy more ETH, creating leveraged long exposure.
• Liquidity without selling: Long-term holders can access short-term liquidity without giving up their position.

‍

The excess collateral exists because a smart contract cannot chase you down if your loan goes bad. The only enforcement mechanism is the collateral itself. If its value drops too close to the loan value, the protocol liquidates it.

‍

Part 2: The Mechanics

‍

Interest Rate Models

‍

The interest rate is a function of utilisation: Total Borrowed / Total Supplied.

‍

The jump rate model (or kinked curve), popularised by Compound, introduces a sharp inflection point at a target utilisation. Below the kink, rates rise gently. Above it, rates spike dramatically. This ensures depositors can always withdraw. If utilisation hit 100%, no one could withdraw, which would be catastrophic.

‍

Aave v3 introduced variable rate curves with configurable slope parameters: a gentle slope below optimal utilisation and a steep slope above it. Governance can adjust these per asset. Compound v3 (Comet) simplified further by focusing on a single borrowable asset per market, allowing tighter rate optimisation.

‍

‍

Supply APY is derived from the borrow rate:

‍

Supply APY = Borrow APY x Utilisation x (1 - Reserve Factor)

‍

The reserve factor skims a percentage of interest income into the protocol treasury, acting as a buffer against bad debt. The spread between borrow and supply rates is where protocol revenue comes from.

‍

Liquidation Mechanics

‍

Liquidation keeps the system solvent. When a borrower's collateral value drops relative to their debt, their position becomes eligible for liquidation, measured by the health factor:

‍

Health Factor = (Collateral Value x Liquidation Threshold) / Debt Value

‍

When the health factor drops below 1, anyone can call the liquidation function. The liquidator repays a portion of the debt and receives the corresponding collateral plus a bonus (typically 5-10%).

‍

Key concepts:

• Loan-to-Value (LTV): Maximum percentage of collateral value you can borrow. If ETH has 80% LTV, you can borrow $800 against $1,000 of ETH.
• Liquidation Threshold: The point where liquidation triggers. Always higher than LTV, creating a buffer zone.
• Close Factor: Maximum percentage of debt liquidatable in a single transaction.
• Liquidation Penalty: The bonus incentivising liquidators, paid from the borrower's collateral.

‍

Sophisticated bots use flash loans to liquidate without upfront capital: borrow the repayment amount, repay the debt, receive collateral plus bonus, swap and repay the flash loan, keep the profit, all in one atomic transaction.

‍

Cascading Liquidations

‍

During sharp downturns, liquidations can trigger further price drops. When a large position is liquidated, the collateral is sold on the market, pushing prices down further, triggering more liquidations. This feedback loop amplified the damage during the Terra/Luna collapse in May 2022.

‍

Part 3: The Major Protocols

‍

Aave

‍

Aave (originally ETHLend) launched in 2017 as peer-to-peer lending before pivoting to pooled liquidity. Its evolution across versions tells the story of how the sector matured.

‍

Aave v1 (2020) introduced pool-based lending, flash loans, and rate switching. Aave v2 (2020) added debt tokenisation and credit delegation. Aave v3 (2022) was a major leap with Efficiency Mode (correlated assets at 97%+ LTV), Isolation Mode (riskier assets in sandboxed markets), Portal (cross-chain aToken bridging), and supply/borrow caps. Aave v4 began its phased rollout in late 2025, introducing a unified liquidity layer with cross-chain governance via a.DI (Aave Delivery Infrastructure), soft liquidations inspired by crvUSD's LLAMMA mechanism, and dynamic risk configurations that adjust parameters automatically. GHO, Aave's native stablecoin, has grown significantly since launch, with GHO supply crossing $200 million by early 2026 as borrowers mint it against their Aave collateral.

‍

Compound

‍

Compound arguably invented the modern DeFi money market. Compound v2 introduced cTokens representing pool shares that accrue interest through an increasing exchange rate. The COMP token launch in June 2020 kicked off "DeFi Summer."

‍

Compound v3 (Comet) took a radically different approach: each instance has a single borrowable asset and multiple collateral assets. This improves risk isolation and eliminates supply-side yield for collateral, a controversial but risk-reducing choice.

‍

MakerDAO / Sky

‍

MakerDAO is not a lending protocol in the traditional sense; it is a collateralised debt position (CDP) system. Users deposit collateral into Vaults and mint DAI, a decentralised stablecoin. There is no lender on the other side. The protocol creates DAI out of thin air, backed by locked collateral.

‍

The rebrand to Sky in 2024 introduced SubDAOs (Stars) and USDS alongside DAI. By early 2026, USDS adoption has accelerated with integrations across major DeFi protocols, while DAI continues to circulate in parallel. Through its RWA strategy, Sky has allocated billions into US Treasuries, corporate bonds, and tokenised credit products via partners like BlackRock's BUIDL and Superstate, making it one of the largest on-chain institutional buyers of real-world assets.

‍

‍

Part 4: Flash Loans

Flash loans are one of the most novel financial primitives ever created. A flash loan lets you borrow any amount with zero collateral, as long as you repay within the same transaction. If repayment fails, the entire transaction reverts as if it never happened. The lender faces zero risk.

‍

Legitimate uses: Arbitrage across DEXs, collateral swaps without unwinding positions, self-liquidation to avoid penalties, and debt refinancing across protocols, all in single atomic transactions.

‍

Attack vectors: Flash loans give anyone access to virtually unlimited capital for one transaction, dramatically lowering the barrier for complex attacks. Attackers use them to manipulate price feeds, exploit governance vulnerabilities, or trigger reentrancy bugs. They borrow massive amounts, manipulate a target, extract value, repay the loan, and walk away with profit.

‍

Part 5: Oracles, Risk, and Governance

‍

Oracle Dependency

‍

Lending protocols need asset prices but cannot rely on centralised exchanges. Chainlink, the dominant oracle, aggregates data from multiple independent node operators. TWAP oracles from Uniswap v3 calculate averages over time windows but can be stale during rapid price movements.

‍

Oracle manipulation remains one of the most common attack vectors. If an attacker temporarily inflates the price of a low-liquidity collateral token, they can borrow far more than it is actually worth.

‍

Risk Parameters and Governance

‍

Every listed asset carries risk parameters: LTV, liquidation threshold, liquidation penalty, reserve factor, supply cap, borrow cap. Setting these is one of the most consequential governance decisions. Specialised risk teams like Chaos Labs and Gauntlet run simulations to recommend changes, creating a hybrid model of decentralised governance with professionalised risk management.

‍

Part 6: Real Exploits and What They Taught Us

‍

Euler Finance (March 2023): $197 million stolen by exploiting a donation mechanism that did not check position health after eToken donations. The attacker used flash loans to create leveraged positions and then destroyed their own collateral tracking. Remarkably, all funds were eventually returned.

‍

Cream Finance (October 2021): $130 million drained by manipulating the price of a low-liquidity collateral token via flash loans. Cream had been exploited twice before.

‍

Mango Markets (October 2022): $114 million lost when Avraham Eisenberg manipulated MNGO token price using thin liquidity, then borrowed every available asset. He was arrested, charged, and convicted in April 2024.

‍

Lessons: Asset listing is a security decision. Oracle design must account for manipulation. Feature interactions create unexpected vulnerabilities. Protocols need the ability to pause markets instantly.

‍

Part 7: The Frontier

‍

Under-Collateralised Lending

‍

The holy grail of DeFi lending is credit-based lending without locked collateral. TrueFi pioneered unsecured institutional lending. Maple Finance operates with pool delegates underwriting loans (suffering losses during the 2022 credit contagion). Goldfinch targets real-world lending in emerging markets with senior-junior tranche structures. All reintroduce some form of trust.

‍

Modular Lending

‍

The trend is moving from monolithic protocols toward modular designs. Morpho Blue, which launched in 2024 and has since crossed $3 billion in TVL by early 2026, is a minimal, immutable lending primitive where anyone can create a market with any parameters. Risk curation is handled by separate "MetaMorpho" vaults managed by entities like Steakhouse Financial, Gauntlet, and Re7 Labs. Euler v2, which relaunched with a completely rebuilt architecture after its 2023 exploit, adopted a similar modular approach with permissionless Vault creation and the Ethereum Vault Connector for cross-vault borrowing. Fluid (formerly Instadapp Lite) has also emerged as a significant player, combining lending with DEX functionality in a unified liquidity layer that reached over $1 billion in TVL.

‍

Protocol-Native Stablecoins

‍

GHO (Aave) is minted by borrowers using Aave collateral, with governance-set borrow rates. crvUSD (Curve) introduced soft liquidation via LLAMMA, gradually converting collateral as prices fall instead of binary hard liquidation. This mechanism influenced Aave v4's design direction. These stablecoins make protocols not just capital marketplaces but money issuers.

‍

Cross-Chain Lending

‍

Aave's Portal enables cross-chain aToken bridging, and Aave v4's unified liquidity layer aims to make cross-chain lending seamless through a.DI messaging. LayerZero and Chainlink CCIP integrations are enabling protocols to read collateral state across chains. Radiant Capital attempted native cross-chain lending but suffered a $50 million exploit in late 2024 from compromised multisig keys, a stark reminder that cross-chain security adds layers of trust assumptions. Seamless Protocol on Base and Moonwell on multiple L2s have shown that chain-native lending deployments often outperform cross-chain approaches in terms of simplicity and security.

‍

Part 8: The Road Ahead

‍

The integration of real-world assets into DeFi lending may be the most consequential trend. Sky's multi-billion-dollar allocation to tokenised Treasuries via BlackRock's BUIDL, Ondo Finance's USDY, and Superstate demonstrated that DeFi protocols can serve as serious conduits for institutional fixed-income exposure. The Sky Savings Rate effectively became a proxy for the US Treasury rate, fluctuating between 5% and 12.5% throughout 2025 as governance adjusted it to manage demand.

‍

Traditional financial institutions are engaging more aggressively. Aave's GHO Stability Module attracted institutional liquidity providers in 2025. JPMorgan's Kinexys (formerly Onyx) expanded its DeFi pilots, and BlackRock's tokenised fund BUIDL became a widely accepted collateral type across lending protocols. The EU's MiCA regulation, fully enforced since mid-2025, provided clearer frameworks for institutional DeFi participation in Europe.

‍

Challenges remain: smart contract risk persists despite audits and growing adoption of formal verification tools like Certora and Halmos, regulatory clarity is improving but uneven across jurisdictions, over-collateralisation is structurally less capital-efficient than traditional lending, oracle reliability remains a systemic concern even as Chainlink's CCIP and data streams mature, governance participation is low and concentrated, and liquidity fragments across dozens of L2s and alt-L1s.

‍

The trajectory points toward modular architectures replacing monolithic designs, under-collateralised lending expanding through on-chain reputation systems, ZK identity proofs, and hybrid legal-smart-contract frameworks, cross-chain lending maturing with better messaging protocols, and institutional integration deepening as tokenised RWAs become standard collateral types across DeFi.

‍

The lending protocol is to DeFi what the commercial bank is to traditional finance: the foundational infrastructure through which capital is allocated, risk is priced, and money is created. The difference is that this time, the infrastructure is open-source, globally accessible, and governed by its users rather than its shareholders. The code is public. The rules are transparent. And anyone can participate.

‍

That is both the promise and the challenge. Building a financial system without gatekeepers requires building one that is resilient enough to survive without them.

‍

References

• Aave. (2025). "Aave V4 Technical Documentation." https://docs.aave.com/
• Aave. (2025). "GHO Stablecoin Documentation." https://docs.gho.xyz/
• Compound Labs. (2025). "Compound III (Comet) Documentation." https://docs.compound.finance/
• Sky (formerly MakerDAO). (2025). "Sky Ecosystem Documentation." https://docs.sky.money/
• Morpho Labs. (2025). "Morpho Blue and MetaMorpho Documentation." https://docs.morpho.org/
• Euler Finance. (2025). "Euler V2 Documentation." https://docs.euler.finance/
• Curve Finance. (2025). "crvUSD and LLAMMA Documentation." https://docs.curve.fi/crvUSD/
• Chainlink. (2025). "Chainlink Data Feeds and CCIP." https://docs.chain.link/
• DefiLlama. (2026). "Lending Protocol TVL Rankings." https://defillama.com/protocols/Lending
• Qin, K., Zhou, L., & Gervais, A. (2021). "Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit." FC 2021.
• Perez, D., Werner, S. M., Xu, J., & Livshits, B. (2021). "Liquidations: DeFi on a Knife-Edge." FC 2021.
• Werner, S. M. et al. (2022). "SoK: Decentralised Finance (DeFi)." ACM AFT 2022.
• Euler Finance. (2023). "Exploit Post-Mortem." https://www.euler.finance/blog/euler-exploit-post-mortem
• Rekt News. (2024). "Radiant Capital - Rekt." https://rekt.news/radiant-capital-rekt2/
• Chaos Labs. (2025). "DeFi Risk Management and Simulation Frameworks." https://chaoslabs.xyz/
• European Commission. (2025). "Markets in Crypto-Assets Regulation (MiCA)." https://finance.ec.europa.eu/digital-finance/digital-assets/markets-crypto-assets-regulation-mica_en
• BlackRock. (2025). "BUIDL - BlackRock USD Institutional Digital Liquidity Fund." https://securitize.io/buidl
• Ondo Finance. (2025). "USDY and Tokenised Treasury Products." https://ondo.finance/

‍