Chaos Labs exits, Aave loses its last risk gatekeeper

Original Title: Chaos Labs Is Leaving Aave

Original Author: Omer Goldberg

Original Translation: Peggy, BlockBeats

Editor's Note: Chaos Labs announced the proactive termination of its risk management collaboration with Aave and is seeking to end this authorized relationship early. As the core team that has provided risk pricing and management for all Aave V2 and V3 markets over the past three years, their exit comes at a critical stage as Aave is advancing its V4 architectural restructuring and institutional expansion.

In the statement, Chaos Labs emphasized that this decision is not due to short-term budget disagreements but rather a fundamental cognitive divergence between the two parties on "how risks should be managed." With the loss of core contributors, increasing system complexity, and the architectural rewrite brought by V4, the responsibilities and costs of risk management have significantly expanded, but resource allocation and prioritization have not been adjusted accordingly.

The article further points out that as DeFi gradually attracts institutional funds, the risk record itself has become the most critical "entry asset." When protocols need to handle more complex system structures and higher compliance standards simultaneously, risk is no longer just a technical issue but a fundamental capability that determines whether they can operate sustainably.

As DeFi enters its next phase, where should risk management be positioned, and is the industry willing to bear the corresponding costs?

The following is the original text:

Since November 2022, Chaos Labs has priced every loan initiated on Aave and has been responsible for managing the risks of all Aave V2 and V3 markets and networks, during which no materially impactful bad debts have occurred.

During this period, Aave's total locked value (TVL) grew from $5.2 billion to over $26 billion, with cumulative deposits exceeding $2.5 trillion and over $2 billion in liquidations completed.

Today, we have decided to proactively end this authorized relationship and seek to terminate the collaboration early.

This decision was not made hastily. We have always collaborated in good faith with DAO contributors, and Aave Labs has remained professional, even raising the budget to $5 million to retain us. However, we chose to leave because this collaboration no longer aligns with our fundamental understanding of "how risks should be managed."

Despite the divergence in future paths, I still believe Aave Labs is acting in a manner it understands to be most beneficial for Aave.

Why We Chose to Leave

Over the past three years, we have advanced and retreated with Aave, experiencing multiple market crises—these moments have tested nearly every parameter we set and every machine learning model we built.

When we joined, the DAO's annual net expenditure was negative $35 million; a few months ago, it peaked at $150 million. Throughout this process, we have indeed felt proud to be one of the core contributors.

People do not easily give up such an experience. Therefore, for the sake of transparency and to provide a reference for the DAO's future, we hereby explain the reasons.

Funding can solve many problems, but not all. The deeper issue is that there is a structural divergence between the two parties on the fundamental question of "how to manage risk." As discussions about future paths continued, this divergence became increasingly clear.

Ultimately, the issues focus on three points:

The departure of core Aave contributors has significantly increased the workload and operational risks;

The launch of V4 has expanded the scope of risk management functions, increasing operational and legal responsibilities, while its architecture was not designed by us and is not a design approach we would adopt;

Over the past three years, we have consistently managed Aave's risk management work at a loss. Even with a budget increase of $1 million, the overall operation would still be in negative profit.

This means there are only two choices left, both of which we cannot accept:

To do our best under insufficient resources but fail to meet the risk management standards that a "global leading DeFi application" should have;

To continue subsidizing Aave's risk operations with our own funds, continuously bearing losses.

Even if the economic issues are resolved, the divergence between the two parties on risk priorities and management methods still exists, and this is not something that can be solved simply by increasing the budget.

But none of this will change our view of this work.

For Chaos Labs, being able to contribute to Aave has always been an honor and also means a heavy responsibility. Our reputation comes from our past records. Every collaboration must either meet its due standards or not be done at all.

People, Technology, and Operational Experience

Aave is an excellent brand. Its leading position does not stem from the flashiest features or the most aggressive growth strategies.

What truly allows Aave to maintain its advantage over the long term is its "reliability." The brand and market sentiment are essentially just a lagging reflection of its performance, safety, and risk management capabilities—especially in extreme market environments that destroy other participants. It is on this foundation that the consensus of "Just Use Aave" gradually formed.

Competitors have launched more aggressive mechanisms and growth strategies, but one after another, they have collapsed due to risk management failures or security vulnerabilities. In a market composed of the world's most volatile assets, "survivability" itself is a product. Those who can better and longer manage risks will prevail.

Aave's true innovation lies in areas that many protocols overlook: processes and infrastructure. The Risk Oracles we built and launched on Aave for the first time enable the protocol to self-repair and update parameters in real-time based on dynamic and volatile market conditions. This infrastructure supports Aave's expansion to over 250 markets across 19 blockchains, handling hundreds of parameter updates each month while maintaining rigorous operational standards, thereby earning today's trust.

In the past year, Chaos Labs has executed and continuously pushed over 2,000 risk parameter updates across Aave's markets, covering both manual adjustments and automated Risk Oracle management mechanisms. This infrastructure allows Aave to expand to over 250 markets across 19 blockchains while still achieving real-time risk management.

This rigor comes from a specific collaboration system and execution stack: ACI is responsible for growth and governance (@Marczeller), TokenLogic is responsible for fund management and growth (@Token_Logic), BGD is responsible for protocol engineering (@bgdlabs), while Chaos Labs is responsible for risk management.

The brand is the part seen by the outside world; what truly makes it worth seeing are the people, technology, and operational experience behind it.

GTM and Institutional Expansion

Our contributions go far beyond risk management.

In recent years, the crypto industry has rapidly moved toward institutionalization. The world's largest financial institutions are beginning to access DeFi, but no matter how real the "on-chain" returns are, they are meaningless if institutions are concerned about the potential loss of client funds. For any regulated entity, all discussions begin and end with risk. A few more basis points of return are never worth the risk to principal. Institutions seek risk-adjusted returns, and they will not allocate funds to a protocol that cannot be "clearly explained" to compliance teams.

For this reason, Aave's risk record has become its most important GTM asset. As the builders of this record, we have been able to engage directly with these institutions. At the request of Aave Labs, we took on this role, meeting with partners globally, producing research and due diligence materials, and personally participating in Aave's institutional expansion. We hope the DAO can continue to benefit from these accumulations in the coming months.

The Ship of Theseus

If every plank of a ship is replaced, is it still the same ship? The name hasn't changed, the flag hasn't changed, but the underlying structure is already different.

Aave is now in such a state. The core contributors who built and operated V3 have left, and the operational experience that has supported Aave through market cycles over the past three years has also flowed away.

We are the last remaining technical contributors from this group.

V3 remains the largest application in DeFi, requiring 24/7/365 risk management. Although Aave Labs is optimistic about the rapid migration to V4, history shows that such migrations often take months or even years. Before V4 fully takes over the markets and liquidity of V3, both systems must run in parallel. The workload will not be halved; it will double.

More critically, there is the issue of operational experience. Even assuming different teams have the same capabilities, the experience accumulated over three years of continuous operation cannot be directly transferred during a handover.

How long will it take to bridge this gap? The answer is clearly not "zero." And before the gap disappears, someone must bear this cost—and this responsibility almost entirely falls on us, while the budget is already insufficient given the expanded scope.

The continuity of the brand does not equate to the continuity of the system.

Why V4 Is Different

V4 is a brand new lending protocol, with entirely new smart contract code, system architecture, and design paradigms. Aside from the name, it bears almost no resemblance to Aave V3.

Changes at the architectural level directly affect risk: more interdependencies across markets and modules, a new credit structure, and adjusted liquidation logic. The "second-order risks" of any new protocol will only gradually emerge after real funds enter the system.

Taking over this system responsibly means needing to rebuild the infrastructure, toolchain, and simulation systems, and operating from scratch on a codebase that has not yet undergone market testing. This scope is far greater than V3, and this is at the core of our decision-making.

Risk is downstream of architecture. When the architecture undergoes fundamental changes, risk management itself must also be restructured. Unlike standardized services such as price oracles or reserve proofs, Risk Oracles and their supporting systems must be tailored to specific protocol architectures. Once the architecture is rewritten, the risk infrastructure must also be rebuilt.

The problem is: the scope has significantly expanded, but resources have not increased in tandem. Aave Labs may be able to accept such trade-offs, but we cannot.

The Real Cost of This Matter

What we are giving up is a historically well-functioning $5 million collaboration. For a startup, this is by no means a rash decision, and thus deserves more thorough background explanation.

Compensation is only part of it; more importantly, it is a signal: the amount of resources an organization invests in risk reflects its prioritization of risk.

At the same time, I believe few truly understand the actual costs, real expenditures, and risks involved in such systems. Therefore, I hope to clarify these points.

It must be made clear: the DAO has every right to decide what it values and how much it is willing to pay for it. I have no objections to this. My responsibility is only to judge whether these conditions are suitable for us—and this time, they are not.

Comparing Aave to Banks

Aave often compares itself to banks, and we also use this standard to evaluate it. Banks typically allocate 6% to 10% of their income to compliance and risk infrastructure. In 2025, Aave's income is projected to be $142 million, while our budget is $3 million, accounting for about 2%.

We estimate that the minimum risk budget for V3 + V4 should be $8 million, to cover a broader range of risks, additional infrastructure, and the GTM work we have already undertaken, accounting for about 5.6% of income, still below the lower limit of banks.

This comparison may even be "lenient." The openness of blockchain makes it more complex and asymmetric in terms of market risk and cybersecurity risk. The protocol's open-source transparency means that the attack surface is equally visible to everyone. A recent series of attacks has proven that this is not a theoretical risk. We believe that DeFi should invest more in risk than traditional finance, not less.

Of course, Aave's scale has few comparables in DeFi; banks are merely a reference point for understanding how much institutions that "take risk seriously" typically invest. Whether a protocol "has the capability" to invest in risk is different from whether it "chooses to invest."

For Aave, capability is not the issue: the DAO holds about $140 million in reserves, and Aave Labs has just passed a $50 million self-funding proposal. But even if resources are scarce, the costs of risk management will not change. Budgets cannot reshape the threat structure—costs are costs.

Costs That Will Not Appear in the Budget

Human resources and infrastructure are just visible costs; there are also some harder-to-quantify but necessary hidden costs.

First, there is legal and institutional risk. Engaging in risk management in DeFi (whether as risk managers or treasury managers) faces unclear boundaries of responsibility. There is no mature regulatory framework, no "safe harbor," and no clear legal definition of what responsibilities risk managers should bear when a protocol fails. When the system operates normally, these tasks are "invisible"; once problems arise, the responsibilities do not disappear.

Second, there is network and operational security. Providing risk services for a protocol managing billions of dollars in assets inherently makes it a target for attacks. The costs of audits, monitoring, infrastructure, and internal control systems will rise in tandem with the scale of user deposits.

These costs are not unique to us. Any team taking on this role at this scale will face the same exposures. The question is whether such a collaborative structure reflects this reality.

If the upside is limited while the downside risk is unlimited, then choosing to continue is not "having faith"; rather, it is a form of poor risk management.

Our Principles

At Chaos, we always adhere to a simple principle: only sign off on work we fully endorse.

When everything is going smoothly, this principle is easy to uphold; what truly matters is when it comes at a cost. Today, that cost is $5 million.

I once wrote in "The Market Crypto Never Built" about what institutional-grade risk management should look like. This decision is a manifestation of that belief in reality. If we advocate for higher standards in the industry, we must first apply those standards to ourselves.

I hope V4 can succeed. If it turns out our concerns were overestimated, that would be a good thing for the entire industry.

To the Aave community: Thank you for your trust during this time; it has been our honor.