Chaos Labs has exited, and Aave has lost its last risk guardian

Original Title: Chaos Labs Is Leaving Aave

Original Author: Omer Goldberg

Original Translation: Peggy, BlockBeats

Editor’s Note: Chaos Labs announced that it would proactively end its risk management partnership with Aave and seek to terminate this licensing relationship early. As the core team that, over the past three years, provided risk pricing and management for all Aave V2 and V3 markets, its departure comes at a critical stage—when Aave is pushing forward with the V4 architecture overhaul and institutional expansion.

In its statement, Chaos Labs emphasized that this decision was not driven by short-term budget disagreements, but by a fundamental mismatch in how each side believes risk should be managed. As core contributors leave, system complexity increases, and the V4 effort brings extensive architecture rewrites, the scope and cost of risk management have expanded significantly—yet resource投入 and priority-setting have not been adjusted in step.

The article further points out that as DeFi gradually attracts institutional capital, risk records themselves have become the most critical “admission asset.” When a protocol needs to take on more complex system structures and meet higher compliance standards, risk is no longer just a technical issue—it becomes the underlying capability that determines whether it can keep operating.

As DeFi enters its next phase, where should risk management be placed, and whether the industry is willing to bear the corresponding costs for it.

The following is the original text:

Since November 2022, Chaos Labs has priced every loan initiated on Aave and managed all risks across every Aave V2 and V3 market and each network, with no bad debts occurring that had any material impact.

During this period, Aave’s total value locked (TVL) grew from $5.2 billion to more than $26 billion, cumulative deposits exceeded $2.5 trillion, and more than $2 billion in liquidations were completed.

Today, we have decided to proactively end this licensing relationship and seek to terminate our cooperation early.

This decision was not made in haste. We have always collaborated in good faith with DAO contributors, and Aave Labs has always maintained a professional approach. It even raised its budget to $5 million to try to keep us. However, we chose to leave because this partnership no longer aligns with our basic understanding of how risk should be managed.

Although we may differ on the future path, I still believe that Aave Labs is acting in the way it understands—and in the way it believes is best—for Aave.

Why We Chose to Leave

Over the past three years, we have stood with Aave through thick and thin, experiencing multiple market crises—moments that nearly tested every parameter we set, and every machine learning model we built.

When we joined, the DAO’s annualized net spending was negative $35 million; a few months ago, its peak reached $150 million. Throughout this process, as one of the core contributors, we genuinely felt proud.

People don’t easily walk away from an experience like this. Therefore, in the spirit of transparency, and also hoping it may serve as a reference for the DAO’s future, we are explaining the reasons here.

Funding can solve many problems, but not all. The deeper issue is that there is a structural disagreement between the two sides on the fundamental question of how to manage risk. As discussions about the future path continued, this divergence became increasingly clear.

At the end of the day, the problem boils down to three points:

The departure of core Aave contributors has significantly increased workload and operational risk;

The launch of V4 has expanded the scope of risk management responsibilities, increasing operational and legal liability, while its architecture was not designed by us and is not the design approach we would choose;

For the past three years, we have been承担 Aave’s risk management work while operating at a loss. Even if the budget increases by $1 million, overall we will still be running at a negative profit level.

This means there are only two remaining choices—and we cannot accept either of them:

Make do as best we can when resources are insufficient, but without meeting the risk management standards that “the world’s largest DeFi applications” should have;

Continue to subsidize Aave’s risk operations with our own funds, and keep bearing losses.

Even if the economic issues are resolved, the disagreement between the two sides regarding risk priorities and management methods still remains—and that is not something that can be fixed simply by increasing the budget.

But none of this will change how we view this work.

For Chaos Labs, being able to contribute to Aave is always an honor—and it also comes with a heavy responsibility. Our reputation comes from our past track record. Every partnership either meets the standards it should, or we don’t do it.

People, Technology, and Operational Experience

Aave is an excellent brand. Its leading position does not come from the flashiest features or the most aggressive growth strategy.

What truly allows Aave to maintain its advantage long term is its “reliability.” The brand and market sentiment are, in essence, just lagging reflections of its performance, safety, and risk management capabilities—especially in extreme market environments that destroy other participants. It is on that foundation that the consensus around “Just Use Aave” gradually formed.

Competitors have rolled out more aggressive mechanisms and growth strategies, but one after another they have collapsed due to risk management mistakes or security vulnerabilities. In a market made up of the world’s most volatile assets, “survivability” is the product itself. Whoever can better—and for longer—manage risk wins.

Aave’s real innovation, however, shows up in areas that many protocols ignore: processes and infrastructure. The Risk Oracles we built and first introduced on Aave enable protocols to self-repair and update parameters in real time based on dynamic and sharply fluctuating market conditions. This infrastructure supports Aave’s expansion to more than 250 markets across 19 blockchains, handling hundreds of parameter updates each month while maintaining rigorous operational standards—thereby earning the trust it has today.

In the past year, Chaos Labs carried out and continuously pushed more than 2,000 risk parameter updates across Aave’s markets, covering both manually adjusted and automated Risk Oracle management mechanisms. This infrastructure has enabled Aave to expand to more than 250 markets across 19 blockchains, while still achieving real-time risk management

The number of Aave risk parameter updates executed through human managers and Chaos Risk Oracles.

This rigor comes from a specific collaboration system and execution stack: ACI handles growth and governance (@Marczeller), TokenLogic handles fund management and growth (@Token_Logic), BGD handles protocol engineering (@bgdlabs), and Chaos Labs handles risk management.

A brand is the part the outside world can see; what truly makes it worth seeing is the people, technology, and operational experience behind it.

GTM and Institutional Expansion

Our contribution goes far beyond risk management.

Over the past few years, the crypto industry has rapidly moved toward institutionalization. The world’s largest financial institutions have begun connecting to DeFi, but no matter how real the benefits of “on-chain” are, they can’t beat one prerequisite: if institutions worry that clients’ funds might be harmed, then all of this is meaningless. For any regulated entity, discussions begin with risk and end with risk. Extra basis points of return are never worth taking principal risk. What institutions pursue is risk-adjusted returns, and they won’t allocate funds to a protocol they can’t “explain clearly” to their compliance team.

That is precisely why Aave’s risk track record has become its most important GTM asset. And we, as the builders of that track record, can therefore speak directly with these institutions. At Aave Labs’ request, we took on this role—meeting partners worldwide, producing research and due diligence materials, and personally participating in Aave’s institutional expansion. We also hope that the DAO will continue to benefit from these accumulations in the coming months.

The Ship of Theseus

If every plank of a ship is replaced, is it still the same ship? The name doesn’t change, and the flag doesn’t change, but the underlying reality is already different.

Aave is in a similar situation now. The core contributors who built and operated V3 have left, and the operational experience that supported Aave through market cycles over the past three years has left with them.

We are the last remaining technical contributors in this group.

V3 is still the largest application in DeFi by scale and requires 7×24×365 risk management. Although Aave Labs is optimistic about the rapid migration to V4, history shows that migrations like this often take months or even years. Until V4 fully takes over the V3 markets and liquidity, the two systems must run in parallel. The workload won’t be halved—it will be doubled.

More importantly, it’s operational experience. Even if we assume different teams have the same capabilities, the experience accumulated from running continuously for three years cannot be directly transferred in the handover.

How long does it take to close this gap? The answer is clearly not “zero.” And until the gap disappears, someone has to bear that cost—and that responsibility falls on us almost entirely, while the budget is already insufficient even as the scope expands.

Continuing a brand does not equal continuing a system.

Why V4 Is Different

V4 is a completely new lending protocol, with entirely new smart contract code, system architecture, and design paradigms. Except for the name, it is almost nothing like Aave V3.

Architectural changes directly affect risk: more cross-market and cross-module interdependencies, a new credit structure, and revised liquidation logic. Any “second-order risks” of a new protocol will only gradually become visible after real capital enters the system.

Taking responsibility for onboarding this system means rebuilding infrastructure, toolchains, and simulation systems—and doing a complete operational run from 0 to 1 again on a codebase that has not yet been tested in real markets. This scope is far greater than V3, and that is at the core of our decision.

Risk is downstream of architecture. When architecture undergoes a fundamental change, risk management itself must be rebuilt. Unlike “standardized services” such as price oracles or reserve proofs, the Risk Oracle and its supporting systems must be tailored to the specific protocol architecture. Once the architecture is rewritten, the risk infrastructure must also be rebuilt.

The issue is: the scope increases significantly, but resources are not increased in parallel. Aave Labs might be able to accept such a trade-off, but we cannot.

The Real Cost of This

We are giving up a cooperation that has worked well historically and costs $5 million. For a startup, this is by no means a casual move, so it deserves more thorough background.

Compensation is only part of it; more important is a signal: how many resources an organization allocates to risk reflects its risk priorities.

At the same time, I also believe that very few people truly understand the real costs of this kind of system, the actual spending, and the risks being borne. Therefore, we hope to make this clear here.

It should be made explicit: the DAO has every right to decide what it values and how much it is willing to pay for it. I have no disagreement with that. My responsibility is only to assess whether these conditions are suitable for us—and this time, they are not.

Comparing Aave to Banks

Aave often compares itself to banks, and we use that standard as well. Banks typically allocate 6%–10% of their revenue to compliance and risk infrastructure. In 2025, Aave revenue was $142 million, while our budget is $3 million—about 2%.

We estimate that the minimum risk budget for V3 + V4 should be $8 million, to cover a broader risk scope, additional infrastructure, and the GTM work we have already taken on—still only about 5.6% of revenue, which remains below the lower bound for banks.

And this comparison may even be “lenient.” The openness of blockchain makes it more complex and more asymmetric in market risk and network security risk. Since protocols are open source and transparent, the attack surface is visible to everyone. A recent series of attacks has already shown that this is not a theoretical risk. We believe that in DeFi, risk investment should be higher than in traditional finance—not lower.

Of course, Aave’s scale is nearly incomparable within DeFi, and banks are only a reference point for understanding how much institutions that take risk seriously typically invest. Whether a protocol “is capable of investing risk” and whether it “chooses to invest risk” are two different things.

For Aave, capability is not the problem: the DAO holds roughly $140 million in reserves, and Aave Labs has just passed a $50 million self-funded proposal. Even if resources are scarce, the cost of risk management does not change because of that. Budgets cannot reshape the threat structure—cost is cost.

Costs That Don’t Appear in the Budget

Labor and infrastructure are only the explicit costs; there are also some implicit costs that are harder to quantify, but still must be borne.

First, legal and institutional risk. In DeFi risk management (whether you’re a risk manager or a vault manager), you face responsibility boundaries that have not yet been clearly defined. Without a mature regulatory framework, without a “safe harbor,” and without clear legal definitions of what responsibility a risk manager should bear when a protocol fails. When the system is functioning normally, these matters are “invisible”; but when something goes wrong, the responsibility does not disappear.

Second, network and operational security. Providing risk services for a protocol that manages hundreds of billions in assets makes you, by nature, a target for attack. The cost of building auditing, monitoring, infrastructure, and internal control systems will rise in step with the scale of users’ deposits.

These costs are not unique to us. Any team taking on this role at this scale will face the same exposure. The question is whether this kind of partnership structure reflects this reality.

If upside returns are limited while downside risks are infinite, choosing to continue is not “sticking to a belief”—it is actually a poor approach to risk management.

Our Principles

At Chaos, we always adhere to a simple principle: we only put our name on work we fully endorse.

When everything goes smoothly, this principle is easy to maintain; what really matters is when it needs to be paid for the bill. Today, that bill is $5 million.

I wrote in 《The Market Crypto Never Built》 what institutional-grade risk management should look like. This decision is the embodiment of that belief in reality. If we argue that the industry needs higher standards, then we must first hold ourselves to those standards.

I hope V4 succeeds. If it turns out that our concerns were overstated, then that would be good news for the entire industry.

To the Aave community: Thank you for the trust during this time—this is our honor

[Original Link]