Chaos Labs Exits—Who Will Take Over Risk Management for Aave?
TechFlow Selected TechFlow Selected
Chaos Labs Exits—Who Will Take Over Risk Management for Aave?
When risk control exits, DeFi’s security foundation is repriced.
Navigating Web3 tides with focused insightsBy Omer Goldberg
Translated by Peggy, BlockBeats
Editor’s Note: Chaos Labs has announced its proactive decision to terminate its risk management collaboration with Aave and seeks early termination of this授权 relationship. As the core team responsible for risk pricing and management across all Aave V2 and V3 markets over the past three years, its departure coincides with a pivotal moment for Aave—amid its ongoing architectural overhaul toward V4 and strategic institutional expansion.
In its statement, Chaos Labs emphasizes that this decision does not stem from short-term budgetary disagreements but rather reflects a fundamental divergence in how “risk should be managed.” With the loss of key contributors, rising system complexity, and the architectural rewrite introduced by V4, the scope—and associated responsibilities and costs—of risk management have expanded significantly, yet resource allocation and prioritization have failed to keep pace.
The article further argues that as DeFi increasingly attracts institutional capital, a protocol’s risk track record itself has become the most critical “access asset.” When protocols must simultaneously accommodate more complex system architectures and higher compliance standards, risk ceases to be merely a technical concern—it becomes the foundational capability determining whether they can operate sustainably.
As DeFi enters its next phase, where exactly should risk management sit on the priority list—and is the industry prepared to bear the corresponding cost?
Below is the original text:
Since November 2022, Chaos Labs has priced every loan originated on Aave and managed risk across all Aave V2 and V3 markets on every network—without a single materially impactful default.
During this period, Aave’s total value locked (TVL) grew from $5.2 billion to over $26 billion, cumulative deposits exceeded $2.5 trillion, and over $2 billion in liquidations were completed.
Today, we have decided to proactively end this authorization relationship and seek early termination of our collaboration.
This decision was not made hastily. We have consistently collaborated in good faith with DAO contributors, and Aave Labs has remained professional throughout—having even raised the budget to $5 million in an effort to retain us. Yet we chose to leave because this collaboration no longer aligns with our foundational understanding of “how risk should be managed.”
Although we hold differing views on future direction, I still believe Aave Labs is acting—in its own judgment—in the best interest of Aave.
Why We Are Leaving
Over the past three years, we stood side-by-side with Aave through multiple market crises—moments that tested nearly every parameter we set and every machine learning model we built.
When we joined, the DAO’s annual net expenditure stood at negative $35 million; just months ago, it peaked at $150 million. Throughout this growth, we proudly served as one of its core contributors.
Few would walk away from such an experience lightly. Therefore, out of transparency—and in hopes of offering useful reference points for the DAO’s future—we lay out our reasons here.
Funding solves many problems—but not all. The deeper issue lies in a structural divergence between both parties on the fundamental question of “how risk should be managed.” As discussions about future direction evolved, this divergence only became clearer.
Ultimately, the issue centers on three points:
The departure of core Aave contributors has substantially increased operational workload and risk exposure;
The launch of V4 expands the scope of risk management responsibilities—including operational and legal liabilities—yet its architecture was neither designed by us nor aligned with the design principles we would adopt;
For the past three years, we have operated Aave’s risk management function at a loss. Even with a $1 million budget increase, we would remain unprofitable.
That leaves only two options—neither of which we can accept:
Doing our best under resource constraints, while falling short of the risk management standards expected of the world’s largest DeFi application;
Continuing to subsidize Aave’s risk operations using our own capital—and absorbing losses indefinitely.
Even if economic concerns were resolved, the underlying divergence in risk priorities and management methodology would persist—a gap no amount of additional funding can bridge.
Yet none of this changes our view of the work itself.
For Chaos Labs, contributing to Aave has always been both an honor and a weighty responsibility. Our reputation rests on our track record. Every engagement is either executed to the standard it demands—or not undertaken at all.
People, Technology, and Operational Experience
Aave is an exceptional brand. Its leadership position does not stem from flashy features or aggressive growth strategies.
What truly sustains Aave’s long-term advantage is its “reliability.” Brand perception and market sentiment are, in essence, lagging reflections of its performance, security, and risk management capabilities—especially amid extreme market conditions that have wiped out other participants. It is precisely on this foundation that the consensus “Just Use Aave” emerged.
Competitors launched bolder mechanisms and growth strategies—only to collapse one after another due to risk mismanagement or security failures. In a market composed of the world’s most volatile assets, “survivability” itself is the product. Whoever manages risk better—and for longer—wins.
Aave’s true innovation, however, lies in areas many protocols overlook: processes and infrastructure. The Risk Oracles we built and first deployed on Aave enable the protocol to self-heal and update parameters in real time—responding dynamically to sharply fluctuating market conditions. This infrastructure has supported Aave’s expansion to over 250 markets across 19 blockchains, enabling hundreds of parameter updates per month—all while maintaining rigorous operational standards and earning today’s trust.
Over the past year, Chaos Labs executed and continuously pushed over 2,000 risk parameter updates across Aave’s markets—including both manual adjustments and automated Risk Oracle management. This infrastructure enables Aave to scale across over 250 markets on 19 blockchains while retaining real-time risk management capability.
Number of Aave risk parameter updates executed via manual governance and Chaos Risk Oracles.
This rigor stems from a specific collaborative framework and execution stack: ACI handles growth and governance (@Marczeller), TokenLogic oversees treasury management and growth (@Token_Logic), BGD manages protocol engineering (@bgdlabs), and Chaos Labs leads risk management.
Brand is what outsiders see; what makes it worthy of attention is the people, technology, and operational experience behind it.
Go-to-Market (GTM) and Institutional Expansion
Our contribution extends far beyond risk management.
Over recent years, the crypto industry has rapidly institutionalized. The world’s largest financial institutions are beginning to integrate with DeFi—but however real the onchain yield may be, it means nothing without one prerequisite: if institutions fear their clients’ funds could be compromised, nothing else matters. For any regulated entity, every discussion starts—and ends—with risk. A few extra basis points in yield are never worth jeopardizing principal. Institutions pursue risk-adjusted returns—and will not allocate capital to any protocol they cannot clearly explain to their compliance teams.
Precisely for this reason, Aave’s risk track record has become its most vital GTM asset. And as architects of that record, we have been able to engage directly with these institutions. At Aave Labs’ request, we assumed this role—meeting partners globally, producing research and due diligence materials, and personally supporting Aave’s institutional expansion. We hope the DAO continues to benefit from these accumulated relationships over the coming months.
The Ship of Theseus
If every plank of a ship is replaced, is it still the same ship? Its name remains unchanged, its flag unfurled—but its underlying composition is entirely different.
Aave now finds itself in precisely this state. Core contributors who built and operated V3 have departed—and with them, the operational experience that carried Aave through market cycles over the past three years.
We are the last remaining technical contributor from that cohort.
V3 remains the largest application in DeFi—requiring 7×24×365 risk management. Though Aave Labs expresses optimism about rapid migration to V4, history shows such transitions often take months—or even years. Until V4 fully absorbs V3’s markets and liquidity, both systems must run in parallel. Workload doesn’t halve—it doubles.
More critically: operational experience. Even assuming equal capability across teams, three years of continuous operation yields experience that cannot be seamlessly transferred during handover.
How long will it take to close this gap? The answer is clearly not “zero.” And until that gap closes, someone must bear the cost—almost entirely falling on us, even as the scope expands and budgets remain insufficient.
Brand continuity does not equate to system continuity.
Why V4 Is Different
V4 is an entirely new lending protocol—with new smart contract code, a new system architecture, and a new design paradigm. Beyond its name, it shares almost nothing with Aave V3.
Architectural changes directly impact risk: greater cross-market and cross-module interdependencies, a new credit structure, and revised liquidation logic. And the “second-order risks” inherent in any new protocol only begin to surface once real capital flows into the system.
Responsibly taking ownership of this system means rebuilding infrastructure, tooling, and simulation environments—and executing full-scale operations from scratch on an unproven codebase. This scope vastly exceeds that of V3—and forms the crux of our decision.
Risk is downstream of architecture. When architecture undergoes fundamental change, risk management itself must be rebuilt. Unlike standardized services like price oracles or proof-of-reserves, Risk Oracles and their supporting systems must be custom-built for each protocol’s unique architecture. Once architecture is rewritten, the risk infrastructure must be rebuilt too.
The problem? Scope has expanded significantly—but resources have not scaled accordingly. Aave Labs may accept this trade-off—but we cannot.
The Real Cost
We are walking away from a historically successful $5 million collaboration. For a startup, this is no light decision—and thus merits fuller context.
Compensation is only part of the picture; more importantly, it signals how much priority an organization assigns to risk.
I also believe few truly grasp the actual cost, real expenditures, and risks borne by such systems. So here, we aim to clarify them.
It bears stating plainly: the DAO retains full authority to decide what it values—and how much it’s willing to pay for it. I have no objection to that. My duty is solely to assess whether those terms are suitable for us—and in this case, they are not.
Comparing Aave to Banks
Aave frequently draws analogies to banks—and we use that benchmark too. Banks typically allocate 6%–10% of revenue to compliance and risk infrastructure. In 2025, Aave generated $142 million in revenue, while our budget stood at $3 million—roughly 2%.
We estimate the minimum required risk budget for V3 + V4 should be $8 million—covering broader risk scope, additional infrastructure, and our already-delivered GTM work—representing ~5.6% of revenue, still below the banking sector’s lower bound.
Even this comparison may be overly generous. Blockchain’s openness introduces greater asymmetry and complexity in both market and cybersecurity risk. Protocol transparency means attack surfaces are visible to everyone. Recent attacks have proven this is no theoretical risk. We believe DeFi should invest *more* in risk than traditional finance—not less.
Of course, Aave’s scale is virtually unmatched in DeFi; banks serve only as a reference point to understand how institutions serious about risk typically allocate resources. A protocol’s “capacity” to invest in risk is distinct from its “choice” to do so.
For Aave, capacity is not the issue: the DAO holds ~$140 million in reserves, and Aave Labs recently approved a $50 million self-funded proposal. But even amid scarcity, the cost of risk management does not shrink. Budgets cannot reshape threat landscapes—cost is cost.
Costs That Don’t Appear in the Budget
Human and infrastructure costs are only the explicit ones—there are also harder-to-quantify, yet unavoidable, implicit costs.
First: legal and institutional risk. Performing risk management in DeFi—whether as a risk manager or treasury manager—entails responsibility boundaries that remain legally undefined. There is no mature regulatory framework, no “safe harbor,” and no clear legal precedent defining a risk manager’s liability when a protocol fails. When systems run smoothly, this work remains invisible; when things go wrong, responsibility does not vanish.
Second: network and operational security. Providing risk services to a protocol managing tens of billions in assets inherently makes you a target. Costs for auditing, monitoring, infrastructure, and internal control systems rise in tandem with user deposit volumes.
These costs are not unique to us. Any team operating at this scale in this role faces identical exposure. The question is whether the current collaboration structure reflects that reality.
If upside gains are limited while downside risk is unbounded, continuing is not “conviction”—it is poor risk management.
Our Principles
At Chaos, we uphold a simple principle: we affix our name only to work we fully endorse.
Upholding this principle is easy when things go well; what matters is doing so when it carries a cost. Today, that cost is $5 million.
I wrote in *The Market Crypto Never Built* about what institutional-grade risk management should look like. This decision is the real-world embodiment of that belief. If we advocate for higher industry standards, we must first hold ourselves to them.
I hope V4 succeeds. If our concerns prove overstated, that would be good news for the entire industry.
To the Aave community: thank you for your trust during this time—it has been our honor.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@omeragoldberg
