Summary
The Aave Emergency Guardian (Protocol) multisig is being updated. The DAO’s stakeholder landscape has evolved since the current signer set was last ratified, and ongoing incident response work has made the operational responsiveness of this multisig increasingly critical. The roster is being tightened to a set of actively engaged stakeholders, the threshold is being set at 4/7, and new signers will not be publicly attributed to reduce the attack surface against individual signers and limit social-engineering and targeting risk.
Context
The Protocol Emergency Guardian is the multisig that can pause markets, freeze reserves, and execute other time-sensitive risk actions across all Aave deployments. It is deployed on 19 networks with the following addresses:
| Network | Address |
|---|---|
| Ethereum | 0x2CFe3ec4d5a6811f4B8067F0DE7e47DfA938Aa30 |
| Arbitrum | 0xCb45E82419baeBCC9bA8b1e5c7858e48A3B26Ea6 |
| Avalanche | 0x56C1a4b54921DEA9A344967a8693C7E661D72968 |
| Base | 0x56C1a4b54921DEA9A344967a8693C7E661D72968 |
| BNB | 0xCb45E82419baeBCC9bA8b1e5c7858e48A3B26Ea6 |
| Celo | 0x88E7aB6ee481Cf92e548c0e1169F824F99142c85 |
| Gnosis | 0xCb45E82419baeBCC9bA8b1e5c7858e48A3B26Ea6 |
| Linea | 0x0BF186764D8333a938f35e5dD124a7b9b9dccDF9 |
| Mantle | 0x172867391d690Eb53896623DaD22208624230686 |
| MegaETH | 0x8126eAd44383cb52Cf6A1bb70F1b4d7399DE34ef |
| Metis | 0x56C1a4b54921DEA9A344967a8693C7E661D72968 |
| Optimism | 0x56C1a4b54921DEA9A344967a8693C7E661D72968 |
| Plasma | 0xEf323B194caD8e02D9E5D8F07B34f625f1c088f1 |
| Polygon | 0xCb45E82419baeBCC9bA8b1e5c7858e48A3B26Ea6 |
| Scroll | 0xCb45E82419baeBCC9bA8b1e5c7858e48A3B26Ea6 |
| Soneium | 0xEf323B194caD8e02D9E5D8F07B34f625f1c088f1 |
| Sonic | 0xA4aF5175ed38e791362F01c67a487DbA4aE07dFe |
| XLayer | 0xD0D1CcB0391aADF1EaD96814ce7ab4008Ebdb336 |
| ZkSync | 0xba845c27903F7dDB5c676e5b74728C871057E000 |
Analytics
Activity across all networks over the last 12 months shows that the Guardian has performed reliably under load. Across executed transactions, signer median time-to-sign ranged from under 1 minute to roughly 20 minutes, with most signers clustering between 2 and 10 minutes.
Reactiveness has historically been one of the Protocol Emergency Guardian’s most important properties, particularly during incidents, and signers have collectively met that bar. The DAO thanks all current and outgoing signers for sustaining this level of operational readiness.
Looking forward, planned protocol improvements, including circuit breakers and other protective risk-aware systems powered by the Chainlink Runtime Environment (CRE), are expected to reduce the operational dependency on this multisig for routine risk actions. The Protocol Emergency Guardian will remain important as a backstop for emergency intervention, but its role in the day-to-day risk surface should narrow as those mechanisms come online.
Vetting and security requirements
New signers have been onboarded through a vetting process aligned with the role’s responsibilities. Requirements include the use of hardware wallets, strict operational security practices, verified out-of-band communication for any signing request, and disciplined handling of devices and credentials used in connection with Guardian activity. All signers, including those carried over from the previous configuration, have confirmed compliance with the DAO’s full set of minimum requirements for this role.
Operational readiness checks
The Protocol Emergency Guardian will also move to a recurring readiness process to ensure the signer set remains operational after rotation.
Aave Labs will coordinate four planned signer verifications per year. These quarterly checks are operational in nature and intended to confirm that each signer can still access the relevant wallet, complete the required device setup, and sign when needed.
Aave Labs will also coordinate one unannounced fire drill per year. This simulation will not be scheduled with prior notice to the signer set. The purpose is to validate real availability, response times, and coordination paths under conditions closer to an actual incident.
Specifications
The Aave Protocol Emergency Guardian will be updated to the following 4 of 7 signer configuration:
| Signer | Address |
|---|---|
| Signer 1 | 0x4Ab2Bed1d667260dB34244Ba412817651C2dD52b |
| Signer 2 | 0xc2674C1A1aF0557E1d217fF4F13DF44A637c7C13 |
| Signer 3 | 0xe6838d834674eC35EDd53D485770Baa10bdd6AAe |
| Signer 4 | 0xb291232F480F41c75802C4a60F1D2AC03404Afef |
| Signer 5 | 0xECC2a9240268BC7a26386ecB49E1Befca2706AC9 |
| Signer 6 | 0xa2DCdD6e0b5e0d118E2Fa8922552AC0Fe26EFe58 |
| Signer 7 | 0x3fa960f8355D00874D9C7E3350147f5E94859bc2 |
Next Steps
Proceed with the rotation and update documentation accordingly.
Disclaimer
Signer identities will not be publicly disclosed.
This is intentional. The signer set is being updated to improve operational resiliency while preserving signer safety and protocol opsec. Publicly naming individual signers creates avoidable personal security risk and may increase the attack surface around governance execution, incident response, and treasury-related operations.