Summary
This document develops a formal framework for timely deficit realization on Aave by introducing an autonomous Risk Oracle that detects and deterministically resolves a specific liquidation failure mode: accounts with minimal remaining collateral (“dust”) and substantial outstanding debt. These accounts are economically insolvent, yet can remain mechanically non-deficit for extended periods because third-party liquidation is not exogenously profitable once the residual collateral is too small to cover gas and execution risk. Under Aave v3.3’s deficit semantics, where deficit is realized only when collateral is exactly zero, this dust state can induce large and persistent deficit latency.
We propose a state-contingent mechanism in which an off-chain Risk Oracle monitors reserve and account-level dynamics and, upon observing a dust state, triggers a highly constrained on-chain executor (“ClinicSteward”) that performs a deliberately loss-tolerant liquidation/cleanup. The objective is not to “improve liquidation profitability,” but to minimize the time between the economic accrual of bad debt and its on-chain realization as a reserve deficit, thereby reducing timing surface area for Umbrella cooldown dynamics and improving the coherence of reserve-level coverage accounting.
Problem statement
Economic insolvency vs. realized deficit
Aave’s deficit is not defined as “the moment an account becomes insolvent” in an economic sense. Instead, deficit is a mechanism-level event: the protocol records bad debt only once a liquidation process ends with absolutely zero collateral remaining while debt still exists. This is an intentionally objective definition and it is structurally compatible with Umbrella’s automated deficit handling.
However, this definition introduces a practical edge case. Accounts can become insolvent and remain liquidatable while still retaining a strictly positive amount of collateral, often so small it is economically meaningless, thereby preventing the “zero collateral” condition from being met. In these states, bad debt is real, but mechanically latent, existing in the system’s balance sheet in economic terms while not yet being expressed as an on-chain deficit event.
The dust regime: why liquidation stalls
The deficit-latency failure mode is driven by a simple economic discontinuity. Liquidations are executed by third parties who are optimizing for private profitability. When the remaining collateral is extremely small, the liquidation bonus cannot compensate for gas costs and execution risk. At that point, finishing the liquidation becomes a public good, improving protocol accounting and deficit timeliness, but it is not privately rational to execute.
This is the “dust regime”: accounts that are liquidatable and meaningfully indebted, yet unprofitable to clean up because the residual collateral is too small relative to fixed execution costs.
Crucially, this is not primarily a function of the magnitude of the deficit. Even if the latent deficit is very large, the account may still sit untouched if the remaining collateral available to seize is near zero. From the perspective of an external liquidator, both an expected $100 deficit and a $10M deficit can be equally non-urgent if the expected collateral payout is dominated by gas.
Why this persists despite other v3.3 improvements
In addition to the enshrined “deficit” system, Aave v3.3 materially improved forced cleanup logic and reduced the probability of “dusty” end states by making liquidation closer to position-wide and by reverting cases that would strand tiny leftovers. In particular:
- the default 50% close factor is applied to the whole position, not per asset, making it easier to liquidate small positions without cascading into dust.
- liquidations up to 100% CF are allowed when the user’s debt/principal on the reserve being liquidated is below
MIN_BASE_MAX_CLOSE_FACTOR_THRESHOLD - introduces
MIN_LEFTOVER_BASEand reverts liquidations that would leave debt or collateral below the threshold unless one side is exactly zero. (MIN_LEFTOVER_BASE = MIN_BASE_MAX_CLOSE_FACTOR_THRESHOLD / 2
However, because Aave liquidations in practice remain asset-parameterized (collateral asset and debt asset are specified per call), and because positions can be cross-margined across multiple reserves, there remain plausible pathways in which liquidation resolves the economically meaningful portion of a position while leaving a small remainder of collateral that blocks deficit realization. In particular, bespoke liquidation choices and reserve-specific constraints can still strand dust in multi-asset accounts. The result is that a position can accrue bad debt during a stress event, but the reserve’s deficit is only realized weeks or months later, purely due to liquidation unprofitability in the dust tail.
In practice, we have observed instances consistent with this pattern: positions that were effectively insolvent at the time of a stress event remained non-deficit for an extended period because they retained a minimal residual collateral balance that made completion unprofitable for external liquidators:
- During the 10.10 drawdown event, this account effectively arbitraged the deviation in the reported oracle price and the onchain price of ENS and CRV assets, via utilizing WETH as collateral to maximally borrow such assets and run away with debt, leading to bad debt accrual. The $61.6K (5760 ENS) deficit event itself, however, was only internalized on December 6th, nearly two months after the bad debt was accrued.
- Similarly, the following account had WETH debt collateralized by AAVE and some marginal amount of USDT, resulting in the vast majority of the position being liquidated on 10.10 outside of 0.0003 USDT in collateral and some 1.38 WETH in debt, i.e., bad debt. The $4.6K deficit itself, however, was only realized on January 3rd, 2026, nearly three months after the bad debt was factually accrued.
Why this matters for Umbrella
Umbrella’s design introduces cooldown-based exit dynamics for slashable backstop capital. This means the timing of deficit realization matters, not just the eventual accounting outcome.
When deficits are realized late, the protocol’s on-chain view of reserve solvency lags the economic reality of losses. This expands the window in which sophisticated actors can condition cooldown and withdrawal behavior on information that is not yet reflected in the mechanism layer.
If governance ever wants to compress cooldown, especially as Umbrella matures and automation improves, then minimizing deficit latency becomes directly relevant. The more promptly deficit events are forced to occur when economically implied, the less exploitable the timing surface area remains.
Proposed mechanism
Overview
We introduce a two-layer system designed to eliminate deficit latency caused by dust-collateral positions:
The first layer is a Deficit Realization Risk Oracle that operates off-chain, continuously monitoring account states alongside reserve configurations. Its role is to detect a narrow and conservative dust condition: accounts that are liquidatable (HF < 1), have strictly non-zero but minimal remaining collateral, and still carry material debt. When such accounts appear, the risk oracle groups them by an executable liquidation route (debtAsset, collateralAsset) and triggers cleanup automatically by submitting transactions to a constrained on-chain executor via batchLiquidate.
The second layer is the Aave ClinicSteward, an on-chain constrained executor that exposes a minimal, permissioned action space for liquidation/repayment operations funded by the Aave Collector. Critically, it enforces a hard USD-denominated budget ceiling (“maximum allowance”) per deployed reserve instance, alongside asset allowlists and strict custody constraints. In the deficit realization use case, the steward is primarily used as a last-mile liquidation finisher, clearing the final dust collateral so that v3.3’s post-liquidation logic can immediately realize any remaining debt as a protocol deficit.
These constraints are what keep the mechanism honest. The goal is not to compete with liquidators in normal conditions, nor to subsidize broad liquidation activity. It is to resolve a narrow failure mode where the account has already crossed into insolvency, but deficit recognition is delayed because the last dust collateral balance makes the position mechanically “non-zero collateral,” and therefore economically unattractive to finish externally.
ClinicSteward specification: constrained action space
The executor’s mandate is narrow: force collateral to exactly zero (in the protocol’s accounting sense) by completing the final dust-level cleanup on accounts that are already insolvent. The key distinction versus legacy “bad debt cleanup” usage is that this variant is not intended to repay the debt stock in any meaningful way. Instead, the liquidation performed is nominal and exists to remove the final collateral remainder; once collateral is zero, the remaining debt is expected to be realized as protocol deficit automatically under v3.3.
This is what allows Collector usage to be factually minimal. The steward may need to pull a small amount of a debt asset to execute the liquidation call (and it may momentarily over-approximate), but it is not designed to absorb the loss by repaying principal. The loss is recognized at the protocol layer as deficit once the collateral is cleared, and any unused underlying plus seized collateral (received as aTokens) is routed back to the Collector deterministically.
Most importantly, this is bounded at the governance layer through the ClinicSteward’s “maximum allowance” / available budget mechanism. Each deployed steward instance has an explicit USD-denominated budget ceiling controlling the total value that can be pulled from the Collector. Any execution that would exceed the remaining budget reverts, and the budget can only be renewed or adjusted through the steward’s admin controls (i.e., under governance authorization). For the deficit-realization use case, this ceiling can be configured orders of magnitude smaller than traditional cleanup budgets precisely because the steward is paying for completion, not repayment.
Risk Oracle policy: continuous monitoring and automatic batch execution
Rather than operating as a one-off “queue builder,” the Risk Oracle runs continuously over the account set and triggers cleanup as soon as accounts enter (and persist in) the dust condition. In practice, it maintains an always-updating watchlist of accounts that satisfy the eligibility criteria: liquidatable status, non-zero but minimal remaining collateral, and meaningful debt. It executes opportunistically when either a batch reaches a practical size threshold or a time-based trigger fires, avoiding the need to wait for perfect batching.
Execution is routed directly through the ClinicSteward’s batchLiquidate entrypoint. Because the steward’s liquidation primitive is asset-parameterized, the Risk Oracle groups eligible users by a specific liquidation route (debtAsset, collateralAsset), then submits batchLiquidate(debtAsset, collateralAsset, users, useAToken) for each group. This keeps the on-chain call surface simple and aligns with how liquidation must be specified in Aave: one debt asset repaid against one collateral asset per call.
This maps cleanly to the steward’s intended operational pattern. batchLiquidate pulls an over-approximation of required debt funds from the Collector, attempts to liquidate each user in the batch, and then returns any unused underlying as well as any seized collateral (received as aTokens) back to the Collector. The overall spend envelope remains tightly bounded by the steward’s availableBudget mechanism, so any attempt to exceed the configured maximum allowance reverts. In this design, the Risk Oracle is the permissioned operator (or one of a small set of operators) holding CLEANUP_ROLE, and is therefore the only entity authorized to invoke batchLiquidate.
Conclusion
Aave v3.3 makes deficit an objective, on-chain primitive, but it still inherits a practical edge case: deficit is only realized once collateral is exactly zero. In the dust tail, liquidatable accounts with minimal residual collateral and meaningful debt can require the last step to be completed, which is not profitable for external liquidators. Consequently, bad debt can remain mechanically unrealized for weeks or months.
This latency matters for Umbrella because cooldown-based exits make timing a first-order concern: delayed deficit recognition increases the window where the protocol’s on-chain solvency view lags economic reality.
The Risk Oracle and ClinicSteward close this gap by automating the last-mile cleanup. The Risk Oracle continuously detects dust states and triggers batchLiquidate, while the steward enforces strict permissions and a hard, governance-set budget ceiling. The result is faster, budget-bounded deficit realization and reduced timing surface area for Umbrella.
Disclosure
Chaos Labs has not been compensated by any third party for publishing this research paper and ensuing risk oracle.
Copyright
Copyright and related rights waived via CC0.