[ARC] Gauntlet <> Aave Renewal

Summary

A proposal to renew Gauntlet’s 12-month engagement with Aave on continuous market risk management to maximize capital efficiency while minimizing the risk of insolvency and liquidations to foster long-term sustainable growth. Gauntlet’s current engagement with Aave runs through December 4, 2022.

Background

For the past two years, Gauntlet has collaborated with Aave to maximize the protocol’s capital efficiency given an acceptable level of market risk. Over the past year, we have:

• Recommendations:
  • Proposed 19 sets of parameter recommendations and implemented 64 total parameter optimizations across 22 total assets.
• Community:
  • Built Risk Dashboard to provide insight into risk and capital efficiency
  • Launched an Analytics Dashboard to show historical views of protocol statistics, such as total supplies and borrows, collateral usage, and customer acquisition/retention.
  • Omni-channel support and updates: forums, Aave weekly newsletter, socials, and community calls.
  • Presented educational resources during community calls on topics including VaR/LaR Deep-dive, Model Methodology, Parameter Recommendation Methodology, and CMA/ES.
• Risk Modeling:
  • Market Downturn Reports (May 2022 and January 2022).
  • Provided analysis and recommendations on critical initiatives, including Aave V3 ETH deployment recommendations, Price Manipulation analysis - October 2022, ETH Merge Risk Mitigation plan, Re-enabling ETH borrowing post-merge, market downturn support (Freeze UST and stETH recs), stETH risk, Asset Listing Framework for broad community use, risk-off framework for community best practices, Price Manipulation analysis - September 2022, sUSD risk, updating the borrow interface for user transparency, FEI market deprecation, KNC support, LUSD asset listing, 1INCH collateral support, rETH listing support, CVX listing support, AMPL analysis.
• Impact
  • Over the past year’s engagement, Gauntlet increased liquidation thresholds for 85% of assets while incurring no major insolvencies despite large market crashes. As a result, borrowers increased their utilization, which generated an additional $3.7M of borrow interest income and an additional $124M+ in total borrow. Read the full impact case study here.

Proposal

Scope
Gauntlet’s Risk Management platform quantifies risk, optimizes risk parameters, runs economic stress tests, and calibrates parameters dynamically. We use agent-based simulation models tuned to actual market data to model tail market events and interactions between different users within DeFi protocols. We run over 300,000 simulations on the Aave protocol each week and utilize trained models for lenders, borrowers, and liquidators based on hourly data with multiple forms of out-of-sample cross validation.

As Aave continues to expand (deployments to new markets, migration to a new protocol version, addition of a stablecoin), the level of risk management needed is at its highest - both in terms of the rigor required, but also the speed of risk monitoring and optimizations. Over the past year, we updated our infrastructure to support all Aave deployments simultaneously with the same rigor used to support the Aave v2 Ethereum market. We also stood up a new engineering team (Platform) to exclusively support deployments and doubled the size of our data science and engineering teams. Our work complements that of BGD, Certora, Llama, and others in a joint effort to protect and grow the Aave protocol.

Roadmap

Continued support for Aave v2 Ethereum

• Immediate support for new asset listings in all markets (v2 and v3) and responding to ad-hoc requests
• [New] Expanded coverage to all markets
• Supported risk parameters: Loan-To-Value, Liquidation Threshold, Reserve Factor, and Liquidation Bonus
• Market conditions will determine the frequency of parameter updates. For that reason, no SLA will be preset.
• Responses to market risk events and topics related to risk that progress to voting will be prioritized.

[New] Aave v3 support

• Aave v3 introduces new mechanisms that pose opportunities and challenges as they relate to managing market risk and optimizing capital efficiency, such as efficiency mode, isolation mode, portals, and siloed borrowing. For more details on v3 support, click here.
• Coverage of all markets, starting with v3 Avalanche. Should a new market not listed above be deployed, we will expand support to this market and update the community on our timeline. For more details, click here.
• Supported risk parameters: Loan-To-Value, Liquidation Threshold, Reserve Factor, Liquidation Bonus, [New] Supply Cap, [New] Borrow Cap, [New] Debt Ceiling (for Isolation Mode), [New] Liquidation Protocol Fee

[New] New Features

• Insolvency refund: To increase our alignment with Aave and put actual “skin in the game”, we will refund a portion of our payment should our risk parameter optimizations incur insolvencies during the engagement
• Interest rate optimization: Subject to community approval for our support. We will optimize interest rate parameters to maximize Aave’s revenue and reserves. For further discussion, click here.
• GHO support: Subject to community approval for our support and launch. Scope may include optimizations to debt ceiling, interest rate, and discount rate.

Out of scope

• Protocol development work (e.g., Solidity changes that improve risk/reward)
• Formalized mechanism design outside of the supported parameters

Duration
1-year engagement (Dec 5, 2022 to Dec 5, 2023)

Expectations

Key Performance Indicators
Gauntlet aims to improve the following key metrics without increasing the protocol’s net insolvent value percentage:

• Value at Risk: conveys capital at risk due to insolvencies when markets are under duress (i.e., Black Thursday). The current VaR in the system is broken down by collateral type. Gauntlet computes VaR (based on a measure of protocol insolvency) at the 95th percentile of our simulation runs.
• Liquidations at Risk: conveys capital at risk due to liquidations when markets are under duress (i.e., Black Thursday). The current LaR in the system is broken down by collateral type. Gauntlet computes LaR (based on a measure of protocol liquidations) at the 95th percentile of our simulation runs.
• Borrow Usage: - provides information about how aggressively depositors of collateral borrow against their supply. Defined on a per asset level as:
  
  Gauntlet aggregates this to a system level by taking a weighted sum of all the assets used as collateral.

Communications

• Risk parameter change steps: forum post, community discussion, Snapshot, on-chain vote
• Participation in weekly newsletters and community calls with breakdowns of parameter changes and any anomalies observed
• Proactive alerting to give the community time to discuss risk-related issues
• Market Downturn Risk Reviews to provide detailed retrospectives
• Risk and Analytics Dashboards updated daily
• Payloads shared and verified before submission for on-chain voting

Compensation Model

Gauntlet charges a service fee that seeks to be commensurate with the value we add to protocols and provides strong alignment with the protocol. The fee structure is a fixed annual upfront compensation calculated per the following formula: log(Number of Assets, 10) * Total Borrow * Marginal Base Fee tier bps. Similar to last year, there will be a 25% discount applied for an annual engagement.

Total Borrow is calculated at the start of the engagement (30-day average, rounded down to nearest $1B) and limited to volume that we are providing dynamic risk parameters for at that time (v2 ETH, v3 AVAX, Aave Arc). There is no additional charge for future supported volume (e.g. v3 Optimism, v3 Polygon, v3 Arbitrum, v2 Polygon, v2 AVAX) or new feature development (e.g. interest rate optimization, GHO support). Assets will only be counted once (e.g USDC is counted once and supported across all networks).

If we were to invoice today (currently support 38 unique assets and $2B Total Borrow), it would equate to an annual compensation of ~$2.4M.

• Total Compensation
  • 70% stablecoins (USDC, DAI, USDT)
  • 30% AAVE (at 30d VWAP)
• Payment Schedule
  • 30% of the total compensation (stablecoins) deposited in a vault for the insolvency refund
  • The remaining compensation (stablecoins / AAVE) is streamed linearly over 1 year

Gauntlet has yet to sell any AAVE, but note that we may do so in the future for tax, operational, or other company requirements.

Next Steps

We welcome any feedback on the proposal. Please share any comments or feedback below. We are targeting to submit a Snapshot on Tuesday, November 15th. If this is successful, we will put up an on-chain vote on Tuesday, November 29.

About Gauntlet

Gauntlet is a simulation platform for market risk management and protocol optimization. Our optimization work includes engagements with Compound, Maker, Synthetix, Immutable, BENQI, Venus, Moonwell, Ref Finance, and others.

Gauntlet has proven that it has significant value to Aave in terms of risk management across various networks.
On this basis, a renewal of the agreement between Aave and Gauntlet would be the best option.

From a proposal standpoint, it seems concise and easy to read. Thank you, team.

Gauntlet has been helpful in thinking about how we engage with different V2 and V3 markets and what may be a good fit. We are supportive and would love to see a continued relationship

Is it worth discussing discontinuing Gauntlet’s support of V2 on Polygon and AVAX? (Without affecting fee)

We as a DAO must do our best to transition users to V3.

While it doesn’t have to happen immediately, a phased-out, limited offering of risk support removes the safety net and acts as an incentive to move to upgraded markets.

Just a thought. Maybe this is a part of a larger, protocol-wide discussion on how to migrate users.

Overall the pricing seems fair, but thought as a DAO we were trying to move away from paying contributors in AAVE and instead be more sustainable with stable reserves. Would Gauntlet be open to take the full payment in USD stables? And question for @llamaxyz how would an all stable offer affect the current DAO cashflow?

Thanks for the initial questions @fig @bayesiangame

Great question. For v2 Polygon and v2 AVAX, we currently offer risk analysis (asset listings, risk modeling for key market events) with the full integration and risk simulations slated for March 2023. We are excited about the migration to v3, particularly the enhanced risk management mechanisms, and are actively working with the Aave community and partners on the best path to migrate users to v3. We will keep you and the community updated as we get more clarity here.

We based the payment structure to be in line with recent proposals - Certora, Llama, BGD all took 30% of their payment in AAVE. More importantly, we are strong believers in the Aave ecosystem and appreciate the incentive alignment created by taking a portion of our payment in AAVE.

Thank you, everyone, for your support. Gauntlet has published the Snapshot vote below. Voting begins on 11/16/2022.

We have calculated the payment as of 11/14/2022 and will be using these figures for our AIP. The data as of 11/14/2022 is $2.17B 30-day average borrow, 38 unique assets, and 30-day AAVE VWAP of $79.2.

This translates to a total annual fee of $2,574,722:

• 70% in stables ($1,802,305 in USDC)
• 30% in AAVE (9,753 AAVE tokens)

Payment will be made at the start of the engagement:

• 30% of the total annual fee ($772,417 in USDC) will be deposited in a vault for the insolvency refund.
• The remaining $1,029,888 in USDC and 9,753 AAVE tokens will be streamed linearly over 1 year.

https://snapshot.org/#/aave.eth/proposal/0x549fa2186f321a4e8a07e0d5e82f85f3e2c83189cfaee678a6df144bb67d8f54

The Snapshot has failed. The turnout was the highest we’ve seen for a poll (1.1M votes).

Risk management evolves quickly. At times, we have not adapted quickly enough. I want to highlight where we missed over the past year:

• Communicating more directly with key stakeholders than the community
• Failed to push for updated community consensus on risk appetite
• Moving too fast on risk-off changes without a framework
• Did not align our evolving scope of work with community priorities (deployments, monitoring)
• Messed up FEI recs which caused force liquidations
• Moved too slow on merge risks

Internal Gauntlet and external DAO measures have been taken to prevent and unblock those and similar scenarios in the future.

As a next step, we welcome any and all feedback - good or bad. We haven’t received much in this forum yet. As an aside, the payment will be re-calculated prior to posting an updated Snapshot. For example, last week’s proposals removed several assets, which amounts to a reduced payment of ~$330k.

Separately for visibility, here is a non-exhaustive list of active work streams:

• Initial risk parameter recommendations to launch Aave V3 ETH
• Analysis on Llama protocol growth proposals including wMATIC Interest Rate updates
• Continued price manipulation oracle analysis
• Ongoing risk simulation, parameter recommendations, and daily dashboard updates for Aave V2 ETH, Aave V3 AVAX, and Optimism markets
• Ongoing asset listing risk analyses, including cbETH, USDT, and OP
• Interest rate curve research for Aave and optimizations

Hello @inkyamze and thanks for this post.

Firstly, I want to thank Gauntlet for their work on the Aave protocol and their dedication to help mitigate risks for the protocol.

While this snapshot failed, I still believe Gauntlet has been, is, and will be a clear net positive for our community, and with the ACI, I’m supportive of a re-run vote with an updated proposal.

I already raised in the past that any proposal asking for funding should base cost calculations on protocol revenue and not on % of borrowed funds, as only the former is long-term sustainable for the protocol, and my opinion on this hasn’t changed.

Outside of that, I still believe that the protocol would be less resilient and users more at risk without an active risk team and regular risk parameters AIPs updates, and Gauntlet has a track record that speaks for itself.

I encourage Gauntlet to work on a re-run and will be supportive of an updated proposal.

“The master has failed more times than the novice has even tried.”

I have to say, I was surprised to see the turnout / result of the Snapshot vote without much feedback left in this discussion. With Aave V3 on Ethereum being imminent and initial risk parameters not yet finalized, I am concerned about further delays for the protocol.

Personally, I’d really like to read the feedback from those that voted NAY. I believe such an open discussion would help expedite the process and offer clarity to the community.

Separately, have a few tidbits of feedback myself…

In my opinion, this is the biggest improvement that Gauntlet can make. For most (myself included), I don’t have tools or bandwidth to check Gauntlet’s math. As a user, I have to trust that they’re looking at all the right things and setting the right parameters. But given recent events, I believe we got complacent and didn’t reevaluate the current environment quickly enough.

I’d prefer a model where all the details behind decisions are shared upfront and summarized for the community to digest. In that way, the community can clearly understand the current set of assumptions behind current parameters (that they’ve indirectly agreed to by accepting the parameters). And therefor, proactively, can have a more informed discussion on whether or not the current set of assumptions should change.

A community is much more well equipped to discuss what assumptions the protocol should make about the current environment vs. debating the nitty-gritty between a 88% or 91% LTV (based on toolset alone). As a downstream, a risk manager, Gauntlet or otherwise, can only then suggest parameters based on this dynamic set of assumptions set by the community.

For example, in a different reply @tarun shared that Gauntlet had polled community members and landed on a security budget of $100M for each market. This polling, to my knowledge, was done in private. While I understand that we didn’t want an attacker knowing markets might be vulnerable if more than $100M was used to manipulate them, I don’t think this is the right approach.

Gauntlet uses only public data to inform its parameter recommendations. If we assume an attacker has access to the same data, this means it’s possible they come to a similar conclusion on their own (which we saw happened for the REN market). The way the security budget was set is more akin to security by obscurity than anything else.

With the transition to V3 where capped supply and borrow are possible, I think most would agree that publicly deciding the risk budget would be best. I don’t think it should stop there though.

I use this only as an example of an assumption made, but not made publicly. I believe as responsible stewards, it’d be best if assumptions on all decisions are shared publicly to encourage discussion on what the community thinks is best. If an assumption is wrong, everyone should have a chance to know and express their opinion as to why or why not.

We’d like to hop in here and give our two cents as well. Gauntlet team has been very very helpful with any questions we have regarding any of their analysis. They have constantly stayed in touch with our team and helped walk us through their frameworks and analyses whenever we’ve asked. During last months de-risking and tumultuous times, they kept us informed with risky positions and generally have been an amazing ecosystem partner in our eyes. Overall, we are still an advocate of their original proposal that ultimately failed, and are even more so in support of a revised budget.

Given that I agree with previous comments that transparency is a must, I would like to share that I’m part of the set of AAVE holders that didn’t support this Gauntlet renewal.

The rationale is relatively simple, and related to different points mentioned in this thread:

• Gauntlet was engaged for recommendations of risk parameters on Aave v2 Ethereum in the previous period. During that period, and just until really recently, no support was given to important v2 pools like Avalanche and Polygon, even being exactly the same instance of the protocol. Even if risk-wise the profile of the assets listed there was different, this heavily contrasts with how the coverage of Aave Arc was proposed diligently fast. It also contrasts with Gauntlet supporting long-time ago platforms of similar nature on Avalanche like Benqi, which from my perspective disqualifies any asset-specific consideration.
  Aave is all the instances of the protocol, not having all of them covered during this period of time is a big minus.
• During the previous period, whenever I could share feedback, my main point of focus was almost always the same: it is mandatory to be proactive on recommendations and not reactive. This doesn’t mean being fully conservative, because that is relatively simple; it means having an expert and critical criteria. That is the value of engaging a provider.
  Again and again, I perceived this lack of proactivity and I gave the feedback, both in different forum posts here and to Gauntlet directly. The results of the current moment are not enough.

• From what I know, this was only mentioned sporadically once the market was downtrend, and the problem is not really community involvement in that decision. Personally, I can’t say at all which is the “security budget” if I don’t really understand how accurately the underlying system recommends parameters to protect that margin. I said exactly this to Gauntlet and say it again.
  Being in this kind of decision situation is just fictional; same as other community members, even if I understand the different mechanisms of the protocol, I don’t have models to even give a reliable opinion on what is correct. Gauntlet should have proposed something in the open, but not when the market was already downtrend, way before.
• Specifically, I’m pretty disappointed with the CRV situation. Let’s cut to the chase if a party working on risk and doing continuous simulations can’t detect that the liquidation threshold of USDC is risky, which is the point?
  I think Gauntlet did good work on transparency post-event, but as I publicly shared on this forum before, I also fully disagree with the immediate action of doing generalized freezing. The consequences of that reputation-wise for a protocol like Aave are unacceptable; again reactive vs proactive.
• I have no problem with the pricing of the proposal. Yes, I’m still not fully convinced about the model based on borrow sizes, but there are arguments to support it. My lack of support is for everything else, in this case, $ more/less makes no difference for Aave; what makes the difference is the quality delivered.

Obviously, there have been multiple positive aspects of Gauntlet’s engagement, for example, I can confirm that given my involvement in BGD, Gauntlet has always been top-notch in terms of professional collaboration. It is only fair to be really transparent about it for everybody to know.
In addition, I would really like to have multiple entities on risk engaged with the community. Right now we have Chaos Labs, and partially Llama in some aspects, but if things would be different, having Gauntlet would have been pretty good. But quality for me goes first.

To conclude, participating in discussions and voting on Aave is both a privilege and an ethical responsibility for me. Yes, maybe I can appear as “hard”, but I consider it gives absolutely 0 value to not being critical of the aspects each one of us consider negative, or not voting against when believing so.
I have no reason to think that renewing with Gauntlet is a good idea unless the scope of collaboration radically changes, and so, my lack of support. That being said, if a different collaboration is presented, I have absolutely no problem changing my mind.

I resonate with the points shared by @eboado and @AndrewA - thanks both for your sincerity.

I’m supportive of a renewed proposal but caution against liking them to the “master.”

It is my belief that Aave is better off with two Risk Managers and Gauntlet as one of them; it encourages competition and forces both to be the best versions of themselves.

What Gauntlet has done well:

• current private communication, probing stakeholders

• a vision for/towards v3

• reactive proposals, regular parameter updates

What Gauntlet has done poorly:

• lack of communication with other risk managers

• proactive proposals

• transparency on methods (for the community)

We are supportive of the original vote - but believe this failed Snapshot is the opportunity for the organization to reflect and refine its priorities before going to vote again.

Inputs shared as the ones above are a reminder of where improvements are needed - and where to continue to deliver services, at superior levels.

We look forward to Gauntlet approaching an updated proposal - and are willing to discuss modified incentive structures (both upside and downside), as brought forward by the ACI @MarcZeller

Index Coop is supportive of this proposal.

We’d also like to add that for over a year the Gauntlet team has been incredibly good at communicating with our team. While DeFi often moves fast and voting can take place during difficult/busy times, the Gauntlet team has always alerted us of new analysis and swiftly taken our feedback. To be clear, Index Coop does governance in many places and speed is not typical.

We appreciate all that Gauntlet has done to keep Aave at the forefront of DeFi. Recent analysis/recommendation to remove v2 assets was a difficult one, but considering the unprecedented risks facing lending markets, it is clear Gauntlet has continued to look out for the future of this protocol.

Just wanted to weigh in on my and Llama’s experience working with Gauntlet.

We’ve worked closely with Gauntlet to get risk advice and recommendations on several proposals. In our experience, they are extremely rigorous, professional, and responsive.

Here are few examples where Gauntlet’s thorough risk simulations have helped us and Aave:

• Interest rate curve adjustments for wETH
• Market risks of listing LP tokens as collateral
• Interest rate curve changes for Aave v2 Ethereum

There are times we disagree with Gauntlet. For example, we believe they were too conservative with AIP-121 on risk parameter changes on Aave v2 Ethereum following the CRV excess debt situation. So we worked on AIP-125 with Chaos Labs to update some risk parameters that Gauntlet had proposed earlier.

Gauntlet has been quite understanding and professional through these changes. They proactively worked with us on the CRV debt repayment proposal and proposed using part of their insolvency fund to repay the excess debt.

I hope that the concerns brought up by Ernesto, Andrew, and Fig will be taken seriously by Gauntlet. We look forward to seeing a revised proposal incorporating the feedback that we can discuss and vote on.

Re. scope: there should be some flexibility from Gauntlet’s side (given the changing nature of DeFi), but most expectations on what is and isn’t part of the mandate should be agreed upon upfront.

Aave is long ways away from growing to a $50+ billion protocol. Our goal is to see Aave thrive and I think Gauntlet plays an important role in securing the protocol.

Hi all, we wanted to provide our feedback on Gauntlet’s renewal as well, given our interaction with the team through our delegate activities here on Aave. Overall, our experience with Gauntlet has been very positive. The risk analysis they provide is of consistently high quality, and contributors on their side are very active with with meeting our many requests / clarifications. We wanted to call out the work of @Pauljlei in particular - he’s been super helpful while we ramped up on Aave and has engaged with us on many proposals, several notably outside of the scope of Gauntlet’s regular work.

We understand that recent market volatility has adversely impacted Aave, and that Gauntlet has not always been fast enough in responding to these changes. But taking stock of the longer-term history, we would caution the community not to overweigh recency bias. Gauntlet has been very active in monitoring changes during these volatile times, and has proactively pushed through amendments / param changes to coordinate efforts across large groups of stakeholders to keep the protocol safe. Just look at Paul’s Twitter - he’s been calling out these issues long before the most recent attack.

We are in broad agreement with several of the comments above, especially by @eboado and @AndrewA. If the community feels that communication and proactivity from Gauntlet needs to be improved, we would work with the team to draft a new proposal that incorporates those aspects.

We appreciate all the effort that Gauntlet has made in keeping Aave safe during these turbulent times, and the degree of professionalism and communication they have had with us. We look forward to seeing an improved proposal addressing the concerns brought to the fore by several community members in this forum.

@eboado this context is really interesting. I’m curious on a few of the points you brought up…

@inkyamze is this what you’re referring to when you say “Did not align our evolving scope of work with community priorities (deployments, monitoring)”? Personally, I’d love to understand the full context here.

I think digging in here is important. I have a few questions on the “security budget” specifically:

• Could Gauntlet clearly define this term and explain how their recommended parameters change with a security budget of X for a given market? I think an illustrative example could help
• It seems like even @eboado, who I assume was part of the private poll, is confused on when the security budget for a market was determined. Could Gauntlet share more precisely how this private poll was conducted?
• Going forward, with capped liquidity on v3, could Gauntlet propose a process for public polling / discussion of this assumption? cc @Alex_BertoG as I’m guessing you have thoughts

TL;DR: If Gauntlet expected malicious actors to be borrowing/lending irrationally, parameters should have been set much more conservatively to reflect that assumption. However, that’s a very conservative assumption to make. One that I’m not sure would have been approved before these events occurred.

…

Personally, I have a different perspective here. Economic security of a protocol is less black and white than the security of a smart contract. Market movements, liquidations, and the probability of a protocol getting left with any bad debt is often not something any entity can control.

Instead, risk management is about understanding the range of outcomes and picking the path you’re most comfortable with. Bad debt is often (if not always) a possibility. And I’m of the opinion that the risk of bad debt and it’s magnitude shouldn’t necessarily be minimized, but balanced vs. interest rates and the fees the protocol is earning.

Now to address the specifics…

In the CRV situation, I think more could have been done (always true to a certain extent). But based on what I’ve seen, it would appear that the “attacker” lost more money in this liquidation than they were able to extract from the protocol. If it’s true that the “attacker” had a high chance of losing money and did end up losing money (debatable, see below questions), then that would make this attack irrational and probably break some assumptions around parameters that were set.

So instead of judging this specific outcome as binary, I think we should be asking ourselves (and Gauntlet) the following:

• Did Gauntlet (and indirectly the Aave DAO) assume that actors would act 100% rationally when trying to squeeze money out of the protocol?
• Was the actor acting irrationally? (e.g. Did they have a reasonable chance of profit? Or more precisely, what was their expected value?)
• What are the odds (including off-chain positions) that the actor did indeed lose money?

These answers aren’t definitive, but they help us better gauge the performance of Gauntlet’s risk recommendation and the conditions under which those recommendations were made.

To restate, it’s still unclear to me if this “trade” was profitable for the “attacker”. On-chain, it would appear difficult to justify the “trade”. But I’d love a more detailed analysis here if Gauntlet has the bandwidth to provide it. It would help gauge the odds of the “attacker” having a chance a profitability and whether or not they could have netted a profit with positions held elsewhere.

A non-exhaustive list of questions that I think need more definitive answers:

• Where did the on-chain liquidity for CRV come from in preparation for the liquidations? Leading up to the event, obvious sources of on-chain liquidity seemed insufficient
• Measuring off-chain open interest in impacted tokens (AAVE, CRV, etc.) is something that would also help paint a fuller picture. Was the “attacker” able to put on a big enough position (short or long) on a token impacted by these events to profit from the event?

Thank you all for all the feedback and your candor - we’re genuinely appreciative of all of this to continue to evolve our service offering.

Thanks for the feedback here. It’s worth clarifying that our payment is essentially a fixed price payment given that it’s calculated and paid at the start of the engagement - it doesn’t change throughout. More broadly, we like using a formula based on the two aspects that our work supports (total borrow, active assets) because it allows us to be aligned with the DAO e.g. our payment will now be at least $300k lower given the reduced amount of active v2 assets in the past few weeks.

Completely agree and we’re working on a few things to assist with this. Very open to ideas on what else we can do here.

• First and foremost, to your point, providing a lot more detail (e.g., underlying assumptions, statistics, tradeoffs) on future parameter recommendations to help the community better understand our work and make decisions.
• Secondly, we’re launching an updated dashboard in Q1 that provides more visibility into the data that informs our recommendations including liquidation mechanics, asset listing/delisting, liquidity and slippage, interest rate curves, and depeg risk.
• Lastly, we’re creating more content to explain our methodology, share monthly updates, and talk through key risks via Twitter Spaces AMAs.

For the security budget specifically, this was not initially publicly decided because it would reveal to an attacker how much capital to accumulate. We initially proposed a security budget of $100M based on the safety module size - it was the max slashing value of the safety module (30% of $300M) and hence was theoretically ‘what Aave could pay for’ from what has been dedicated as a fund for insolvencies/coverage. We presented our methodology and confirmed this assumption with various stakeholders.

To your broader point about making decisions publicly, we agree. We need to find better ways to assess the community’s risk appetite - well ahead of market risk situations. Some initial ideas that can start to move the needle here are collaborating with the community and other service providers to create and continuously update a public-facing risk management framework for Aave in order to track community sentiment around risk/reward tradeoffs. We are happy to actively collaborate with a risk council to increase alignment and create a faster response path. Happy to hear additional ideas on this one as well.

You’re absolutely right here - this was due to resource constraints and poor expectation setting. We didn’t specify which markets we would support in our last proposal. For some context, we launched Aave Arc ahead of these two markets based on feedback from Aave Companies. We’re now a team of 50 and starting to make headway on this - we launched v3 Avax in October and are ready to launch v3 Optimism this month. Our simulations currently cover 90% of Aave’s TVL. The full roadmap is here, which we’ve included in the proposal this time around.

Thank you for all the feedback on this one. A few ways we are working on improving here:

• Overhauling our incident response process, which includes internal and external alerting, escalation, and investigation processes. This updated process will provide the community with much more clarity on how market conditions and risk for Aave is evolving and will cover key market risks such as external (e.g., DEX) liquidity changes, asset price volatility, reserve utilization, and whale liquidations. Development in in progress and is supported by a dedicated Gauntlet analytics team for Aave. We look forward to working with the community to align on key aspects related to how alerts are communicated and escalated given the sensitivity of these events.
• Formalizing a v2 asset delisting process to avoid future market risks and streamline governance decisions. It is now apparent to the community that as market conditions evolve, assets that were originally safe on Aave may no longer be so. There are frictions to delisting assets and differing community opinions - as such, proposing an asset delisting process so that the community can align on the risk-tradeoffs will help streamline governance decisions that de-risk the protocol.
• Creating and updating a risk management framework and actively collaborating with a risk council to increase alignment and create a faster response path during market (a few more details above in this reply).

This is a newer challenge for us given the recent addition of Chaos as a risk manager. We’re supportive of collaborating with Chaos and other risk-adjacent service providers on creating risk frameworks and informing the community on key risk decisions. More broadly, we’re also thinking through the best ways to collaborate with all of Aave’s service providers given that our work (market risk) is inherently cross functional.

Choosing a security threshold of $X for Aave means that we expect an attacker to have to deploy more than $X for an oracle manipulation based attack to be profitable. We then estimate the cost of attack for each market (e.g. CRV) based on market parameters and token liquidity. For markets where our estimated cost falls below the chosen security threshold, we would recommend risk-off proposals such as decreasing collateral factors, disabling borrows, or freezing the market entirely if the shortfall is too large. Note that estimating the cost of attack with high precision is extremely difficult as the actual cost will depend heavily on the realized behavior of market-makers and other participants in that scenario.

Historically, our models have assumed actors act rationally. For example, we look at the minimum budget where they are profitable and where the expected value of the attack is positive.