Chaos Labs Exits, Aave Loses Its Last Risk Gatekeeper

Original Author: Omer Goldberg

Original Compilation: Peggy, BlockBeats

Editor’s Note: Chaos Labs has announced its proactive decision to end its risk management collaboration with Aave and is seeking early termination of this mandate. As the core team that has provided risk pricing and management for all Aave V2 and V3 markets over the past three years, their departure comes at a critical juncture as Aave advances its V4 architectural overhaul and institutional expansion.

In its statement, Chaos Labs emphasized that this decision was not due to short-term budget disagreements but stemmed from a fundamental divergence in understanding regarding “how risk should be managed.” As core contributors departed, system complexity increased, and the V4 rewrite brought architectural changes, the scope and cost of risk management responsibilities expanded significantly, yet resource allocation and priority setting did not adjust accordingly.

The article further points out that as DeFi gradually attracts institutional capital, the risk track record itself has become the most critical “asset for access.” When a protocol needs to simultaneously handle more complex system structures and higher compliance standards, risk is no longer just a technical issue but a foundational capability determining its sustainable operation.

As DeFi enters its next phase, the question remains: where should risk management be positioned, and is the industry willing to bear the corresponding costs?

The following is the original text:

Since November 2022, Chaos Labs has priced every loan originated on Aave and been responsible for managing risk across all Aave V2 and V3 markets and networks, with no material bad debt occurring during this period.

During this time, Aave’s Total Value Locked (TVL) grew from $5.2 billion to over $26 billion, with cumulative deposits exceeding $2.5 trillion and over $2 billion in liquidations completed.

Today, we have decided to proactively end this mandate and seek early termination of the collaboration.

This decision was not made hastily. We have always collaborated in good faith with DAO contributors, and Aave Labs has remained professional throughout, even increasing the budget to $5 million to retain us. However, we chose to leave because this collaboration no longer aligns with our fundamental understanding of “how risk should be managed.”

Despite disagreements on the future path, I still believe Aave Labs is acting in what it perceives to be the best interests of Aave.

Why We Chose to Leave

Over the past three years, we have stood with Aave through multiple market crises—moments that tested nearly every parameter we set and every machine learning model we built.

When we joined, the DAO had an annualized net expenditure of negative $35 million; a few months ago, it peaked at $150 million. As one of the core contributors to this journey, we take genuine pride in that.

People do not easily walk away from such an experience. Therefore, for the sake of transparency and in hopes of providing a reference for the DAO’s future, we are explaining our reasons here.

Funding can solve many problems, but not all. The deeper issue is a structural divergence between the parties on the fundamental question of “how to manage risk.” As discussions about the future path continued, this divergence became increasingly clear.

Ultimately, the issues center on three points:

The departure of core Aave contributors significantly increased the workload and operational risk;

The launch of V4 expanded the scope of the risk management function, adding operational and legal responsibilities, and its architecture was not designed by us, nor is it a design approach we would adopt;

Over the past three years, we have consistently operated Aave’s risk management at a loss. Even with a $1 million budget increase, the overall operation would still be unprofitable.

This left only two choices, neither of which we could accept:

Do our best with insufficient resources but fail to meet the risk management standards expected of the “world’s largest DeFi application”;

Continue subsidizing Aave’s risk operations with our own capital, sustaining losses.

Even if the economic issues were resolved, the divergence in risk priorities and management approaches would remain, and this is not something that can be solved by simply increasing the budget.

But none of this changes our view of the work itself.

For Chaos Labs, contributing to Aave has always been an honor and a weighty responsibility. Our reputation is built on our track record. Every collaboration is either done to the standard it deserves, or not done at all.

People, Technology, and Operational Experience

Aave is an excellent brand. Its leading position does not stem from the flashiest features or the most aggressive growth strategies.

What has given Aave a long-term advantage is its “reliability.” Brand and market sentiment are essentially lagging reflections of its performance, security, and risk management capabilities—especially in extreme market environments that have destroyed other participants. It is on this foundation that the “Just Use Aave” consensus gradually formed.

Competitors launched more aggressive mechanisms and growth strategies, but collapsed one after another due to risk management failures or security vulnerabilities. In a market composed of the world’s most volatile assets, “viability” itself is the product. Whoever can manage risk better and longer wins.

Aave’s true innovation, however, lies in areas many protocols overlook: processes and infrastructure. The Risk Oracles we built and first launched on Aave enable the protocol to self-heal and update parameters in real-time based on dynamic and highly volatile market conditions. This infrastructure supports Aave’s expansion to over 250 markets across 19 blockchains, handling hundreds of parameter updates monthly while maintaining rigorous operational standards, thereby earning the trust it enjoys today.

Over the past year, Chaos Labs executed and continuously pushed over 2000 risk parameter updates across Aave markets, covering both manual adjustments and automated Risk Oracle management mechanisms. This infrastructure enabled Aave to scale to over 250 markets across 19 blockchains while still achieving real-time risk management.

Number of Aave risk parameter updates executed by human managers and Chaos Risk Oracles.

This rigor stems from a specific collaborative system and execution stack: ACI handles growth and governance (@Marczeller), 代幣Logic handles treasury management and growth (@Token_Logic), BGD handles protocol engineering (@bgdlabs), and Chaos Labs handles risk management.

The brand is what the outside world sees; what truly makes it worth seeing are the people, technology, and operational experience behind it.

GTM and Institutional Expansion

Our contributions extend far beyond risk management.

In recent years, the 加密貨幣 industry has rapidly institutionalized. The world’s largest financial institutions have begun accessing DeFi, but no matter how real the on-chain yields are, they are meaningless under one premise: if institutions fear client funds could be harmed. For any regulated entity, all discussions begin and end with risk. A few extra basis points of yield are never worth risking principal. Institutions seek risk-adjusted returns, and they will not allocate capital to a protocol they cannot “explain clearly” to their compliance teams.

Precisely because of this, Aave’s risk track record has become its most important GTM asset. And we, as the builders of this record, have thus been able to engage directly with these institutions. At the request of Aave Labs, we took on this role, meeting with partners globally, producing research and due diligence materials, and personally participating in Aave’s institutional expansion. We also hope the DAO will continue to benefit from these accumulated efforts in the coming months.

Ship of Theseus

If every plank of a ship is replaced, is it still the same ship? The name remains, the flag remains, but the foundation is fundamentally different.

Aave is now in such a state. The core contributors who built and operated V3 have left, and with them, the operational experience that supported Aave through market cycles over the past three years has dissipated.

We are the last remaining technical contributor from this group.

V3 remains the largest application in DeFi, requiring 24/7/365 risk management. Although Aave Labs is optimistic about a rapid migration to V4, history shows such migrations often take months or even years. Until V4 fully assumes V3’s markets and liquidity, both systems must run in parallel. The workload does not halve; it doubles.

More critical is operational experience. Even assuming different teams have equal capability, the experience accumulated from three years of continuous operation cannot be directly transferred in a handover.

How long does it take to bridge this gap? The answer is clearly not “zero.” And until the gap disappears, someone must bear this cost—a responsibility that falls almost entirely on us, while the budget was already insufficient for the expanded scope.

Continuity of brand is not equivalent to continuity of system.

Why V4 Is Different

V4 is a completely new lending protocol with entirely new smart contract code, system architecture, and design paradigms. Apart from the name, it bears little resemblance to Aave V3.

Architectural changes directly impact risk: more cross-market, cross-module interdependencies, new credit structures, and adjusted liquidation logic. And the “second-order risks” of any new protocol only gradually become apparent after real capital enters the system.

Responsibly taking on this system means rebuilding infrastructure, toolchains, and simulation systems from scratch, and performing a full operational setup from 0 to 1 on a codebase not yet tested by the market. This scope is far greater than V3, and this is at the core of our decision.

Risk is downstream of architecture. When the architecture changes fundamentally, risk management itself must be rebuilt. Unlike “standardized services” like price oracles or proof-of-reserves, Risk Oracles and their supporting systems must be customized for the specific protocol architecture. Once the architecture is rewritten, the risk infrastructure must also be rebuilt.

The problem is: the scope expanded significantly, but resources did not increase proportionally. Aave Labs may be able to accept this trade-off, but we cannot.

The Real Cost of This

We are walking away from a historically well-functioning, $5 million collaboration. For a startup, this is not a trivial decision, and thus warrants fuller context.

Compensation is only part of it; more importantly, it’s a signal: how many resources an organization allocates to risk reflects its prioritization of risk.

Simultaneously, I also believe few truly understand the actual costs, real expenditures, and risks borne by such systems. Therefore, I hope to clarify these here.

It must be clear: the DAO has every right to decide what it values and what it is willing to pay for it. I have no issue with that. My responsibility is merely to judge whether these terms are suitable for us—and this time, they are not.

Comparing Aave to a Bank

Aave often compares itself to a bank, and we use that standard as well. Banks typically allocate 6%–10% of revenue to compliance and risk infrastructure. In 2025, Aave’s revenue was $142 million, while our budget was $3 million, approximately 2%.

We estimate the minimum risk budget for V3 + V4 should be $8 million, covering the broader risk scope, additional infrastructure, and the GTM work we already undertake, representing about 5.6% of revenue, still below the lower bound for banks.

And this comparison might even be “generous.” The openness of blockchains makes them more complex and asymmetrical regarding market and cybersecurity risks. The open-source, transparent nature of protocols means the attack surface is equally visible to everyone. Recent attacks have proven this is not a theoretical risk. We believe DeFi should invest more in risk than traditional finance, not less.

Of course, Aave’s scale in DeFi has few comparables; banks are just a reference point to understand what institutions that “take risk seriously” typically invest. A protocol’s “ability to invest” in risk and its “choice to invest” are two different things.

For Aave, ability is not the issue: the DAO holds approximately $140 million in reserves, and Aave Labs just passed a $50 million self-funding proposal. But even if resources are scarce, the cost of risk management does not change accordingly. Budgets cannot reshape the threat landscape—cost is cost.

Costs That Don’t Appear in the Budget

Manpower and infrastructure are only explicit costs; there are also implicit costs that are harder to quantify but must be borne.

First, legal and institutional risk. Engaging in risk management in DeFi (whether as a risk manager or treasury manager) involves navigating a yet-to-be-clearly-德菲ned boundary of liability. There is no mature regulatory framework, no “safe harbor,” and no clear legal definition of what responsibility a risk manager bears when a protocol fails. When the system works, this work is “invisible”; when problems arise, the liability does not disappear.

Second, network and operational security. Providing risk services for a protocol managing tens of billions in assets itself becomes a target. The costs of audits, monitoring, infrastructure, and internal control systems scale with the size of user deposits.

These costs are not unique to us. Any team taking on this role at this scale faces the same exposure. The question is whether the collaboration structure reflects this reality.

If the upside is limited and the downside risk is unlimited, then choosing to continue is not “having conviction”; it is, in fact, poor risk management.

Our Principles

At Chaos, we have always adhered to a simple principle: we only put our name on work we fully endorse.

When things go well, this principle is easy to uphold; what matters is when it comes at a cost. Today, that cost is $5 million.

I once wrote in “The 市場 Crypto Never Built” what institutional-grade risk management should look like. This decision is that belief manifested in reality. If we advocate that the industry needs higher standards, we must first apply those standards to ourselves.

I hope V4 succeeds. If our concerns prove to be overestimated, that would be good for the entire industry.

To the Aave community: Thank you for the trust during this time. It has been our honor.

[Original Link]

本文源自網路： Chaos Labs Exits, Aave Loses Its Last Risk Gatekeeper

Related: AI Within Artillery Range

On March 1st, Iranian missiles and drones struck the Gulf region, with one landing on an Amazon data center in the UAE. The data center caught fire, lost power, and approximately 60 cloud services were disrupted. Claude, one of the world’s most widely used AIs, runs on Amazon’s cloud. On the same day, Claude experienced a global outage. Anthropic’s official explanation was a surge in users overwhelming the servers. As of publication, social media still has complaints about Claude service being unavailable; on the well-known prediction market Polymarket, a prediction topic “How many more times will Claude go down in March?” has already appeared. If it is ultimately confirmed that Iran was responsible, this would be the first time in human history: A commercial data center was physically destroyed in…