Title: [ARFC] Ethena USDe Risk Oracle and Automated Freeze Guardian
Author: LlamaRisk
Date: Friday, October 24th, 2025

Summary

This post outlines a proposal for an enhanced, risk-managed price oracle and automated freeze guardian for USDe and its derivatives on the Aave protocol. Recent market events have highlighted the importance of having resilient collateral pricing strategies to mitigate the solvency risk Aave takes on. Given these events, it is prudent to upgrade Aave’s USDe pricing mechanism, which currently pegs USDe to the USDT market price.

The proposed system creates a more resilient and proactive framework that protects Aave from solvency risk while shielding users from premature liquidations caused by transient market dislocations. This improvement is enabled by @Chainlink_Labs, whose battle-tested decentralized oracle network (DON) infrastructure already underpins numerous data and interoperability oracle services used by Aave (e.g., Price Feeds, Proof of Reserve, CCIP, LlamaGuard NAV).

At this time, supply caps are set in Ethena-related assets such that Aave has up to $5.5B additional potential exposure to Ethena. To mitigate risks of this potential additional exposure, this trust-minimized system consists of two parts: 1) the dynamic, risk-managed pricing oracle, using the most representative pricing source in different situations, and 2) the protective action-taking mechanism, performing USDe-related reserve freezes if any of the specified risk signals indicate potential solvency stress. These components shield Aave from further harm while protecting current users, creating a more resilient and secure solution.

A critical aspect of this architecture is that it introduces no additional trust assumptions. The entire solution will run on-chain with DAO-approved oversight and via the existing Chainlink infrastructure. LlamaRisk will have no privileged access controls and cannot make unilateral changes to the system’s logic or parameters. This design ensures the system is both highly secure and fully auditable. Furthermore, introducing proactiveness into the system will improve Aave’s resiliency and, therefore, can improve the collateral efficiency of Ethena’s assets on Aave.

This is an early-stage proposal to kick off discussion on fundamental upgrades to Aave’s pricing strategies. We continue to collaborate with Ethena on suitable system stress indicators and parameterization of emergency response. Our highest priority is to ensure the continued stability of Aave markets and support its safe exposure to Ethena assets for the benefit of both protocols and their users.

Motivation

Aave currently prices USDe on par with the USDT price feed. This design was chosen deliberately to safeguard Aave users from the risk of unnecessary liquidations, while tying USDe’s price to its most heavily weighted backing asset for hedging positions (i.e., USDT), and the largest stablecoin backing allocation. Given that USDe can experience temporary de-pegs driven by market sentiment or short-term liquidity constraints on secondary markets, a direct market-priced oracle could trigger liquidations that do not reflect USDe’s actual backing. While this approach effectively protects borrowers, it transfers the solvency risk to the Aave protocol.

In a fundamental backing-related USDe failure scenario, the on-par pricing would prevent necessary liquidations until the oracle is manually updated, potentially leading to an accumulation of bad debt, as outlined in extensive discussions earlier this year. Protection from further exposure depends on a manual freeze initiated by the Guardian multisig. This method introduces inherent latency, as the process necessitates a coordinated human response for situational analysis, signature collection, and transaction execution. Nonetheless, this framework was chosen because Aave already bears most of Ethena’s solvency risks.

During the October 10th aggressive cryptocurrency market volatility events on centralized exchanges, most notably Binance, USDe’s secondary market price experienced a significant, albeit temporary de-peg, moving the price down to $0.65 at the lowest point. However, it is crucial to note that Ethena’s core redemption mechanism proved resilient despite this secondary market dislocation. The protocol handled a significant inflow of redemptions during this event and during the previous stressful event of the Bybit exploit, keeping the redemption flow completely functional and successfully processing more than a billion dollars of USDe redemptions without issue.

While Aave avoided immediate issues from the de-peg on Binance by pricing USDe on par with USDT, the crypto community again raised concerns that this was not an optimal pricing method. In a real insolvency event, this approach would cause Aave to assume all of Ethena’s solvency risk, as the protocol could be exploited as an exit venue for USDe holders. Such tail risks must be addressed proactively.

Note: Chainlink USDe/USD price feed, which sources from multiple venues, did not deviate significantly during this localized de-peg, registering a minor 70 basis point deviation, in line with broader market pricing.

Why is Exposure Limiting Important?

Aave currently prices USDe collateral using the Chainlink USDT/USD price feed. This pricing mechanism creates a critical dependency: in the event of a fundamental failure of Ethena’s backing, USDe’s market price could collapse, but the USDT/USD oracle used by Aave would remain stable at ~$1.00. This opens a window for exploitation:

1. Acquire de-pegged USDe at a steep discount on the open market.
2. Deposit it into Aave, valued at ~$1.00 via the USDT price feed.
3. Borrow fully collateralized assets against it up to the maximum LTV.
4. Default on the loan, leaving Aave with overpriced collateral and bad debt.

To understand the magnitude of the potential bad debt that could be created from this point forward, the table below outlines the maximum new debt that could be created against USDe-related assets. This is calculated using the remaining available supply capacity for each asset. In a de-peg scenario, this entire amount could be rapidly borrowed against newly deposited, devalued collateral, turning into immediate bad debt for the Aave protocol.

In comparison, Ethena’s current stablecoin backing is at $7.35B.

Improving Upon the System

The choice between user protection and protocol solvency is not a binary one. A more advanced system can be implemented to achieve both. We propose a new framework that separates the oracle’s functions into two distinct components: a dynamic pricing system and a proactive action-taking system. The pricing system is designed to switch between different data sources based on real-time indicators of Ethena’s health, ensuring the most appropriate price for USDe is used under various conditions. The action-taking system works in parallel as a circuit breaker, capable of freezing the USDe markets to protect Aave’s solvency if severe stress signals are detected and avoid additional exposure. Together, these components create a comprehensive, responsive, prudent risk management framework.

The Action-Taking System

The Action-Taking System is a proactive safety mechanism. This system is minimally invasive for existing users and, importantly, is not responsible for determining liquidation prices. It acts as an emergency circuit breaker to protect the protocol, freezing the USDe-priced reserves and implicitly limiting the incremental exposure to USDe’s solvency.

The circuit breaker is triggered by stress signals from any of the following four distinct categories, providing comprehensive, defense-in-depth monitoring. These categories are subject to change depending on viability:

1. Market Stress: Monitors the market prices of USDe and its backing stablecoins (e.g., USDT, USDC) for signs of broad market de-pegging.
2. Redemption-System Stress: Tracks the on-chain health and operational capacity of Ethena’s core mint and redeem functions.
3. Proof of Reserve (PoR) Stress: Verifies official reports on Ethena’s collateralization to confirm that assets fully back the circulating supply.

Action Taking Mechanism1600×900 96.8 KB

The system acts on a single‑trigger basis: if one stress category fires, the system freezes all USDe‑priced reserves. Unfreezing happens only after signals normalize for a defined cool‑off period. The mechanism is automated through the Chainlink platform, inheriting the same trust and liveness properties as existing Chainlink price feeds.

The first category is market stress, captured from Chainlink price feeds for the USDe backing stablecoins such as USDT, USDC (and PYUSD if the amount held in the backing is significant to exceed the current reserve fund size). Following the same rationale, stETH/ETH internal exchange rate (and other LSTs) should be included in the aggregation, due to Ethena’s exposure to these LSTs as part of its hedging assets portfolio. If these prices trade below $0.99, the system interprets that as a broad, cross‑stable dislocation rather than a single‑venue artifact. Price weakness in the stablecoin complex tends to precede redemption pressure, so reacting here gives Aave time to contain risk before stress propagates into positions.

The second category is redemption‑system stress, which monitors the health of Ethena’s mint/redeem process directly on-chain. The mechanism monitors whether the redemption buffer is replenished to at least $2M within 50 blocks, and whether the redemption contract is paused. Any of these conditions suggests that operational liquidity is constrained or deliberately throttled. When redemptions cannot be served promptly, the safest course is to ensure Aave cannot be used as exit liquidity while Ethena stabilizes operations.

The third category is the PoR reported by Ethena and verified by independent third parties, including LlamaRisk, Chaos Labs, and Chainlink. It accepts the PoR report as an authority on Ethena’s solvency and will trigger action if collateralization < 100% is reported. This is most likely a lagging indicator, given the infrequent PoR updates; however, it is the most direct insight available about the state of Ethena’s reserves.

Future upgrades to the Action Taking Mechanism can include hedging stress indicators that take perp exchange data, such as slippage, spot vs. perp spreads, and funding rates as proactive risk triggers. To minimize false positives, such trigger conditions shall involve extensive analysis and back testing by Aave risk providers working in collaboration with the Ethena team.

When any category triggers, the system freezes USDe‑priced reserves across Aave. A freeze halts new borrows and disables new collateral enables on the affected assets, but existing positions continue to accrue interest and can be repaid or deleveraged normally. Liquidations can also happen during that time, facilitating exposure lowering. This design prevents Aave from becoming an exit venue during stress and caps incremental exposure without forcing liquidations purely due to transient signals.

The scope of the freeze includes USDe itself and downstream assets priced from it, such as sUSDe and PT‑USDe, ensuring consistent behavior. After all triggered indicators clear (metrics back within thresholds), the mechanism waits for a cool‑off interval—defined in blocks or minutes—before automatically unfreezing; Guardians and governance retain override capability for exceptional cases.

Because the circuit breaker only freezes new supply and borrows, and never changes collateral valuations, it does not create bad debt. It simply buys time for pricing to converge and for operations to normalize, allowing natural repayments and deleveraging to proceed. In effect, the mechanism mitigates Aave’s exposure to USDe‑related insolvency risk, yet minimizes user disruption and preserves the protocol’s openness once conditions stabilize. Our design, however, prioritizes stable protocol operation; therefore, we implement risk triggers that minimize instances of false positives.

Risk-managed Pricing

The core of the new proposal is a dynamic pricing logic that evaluates a hierarchy of signals to determine the preferred USDe pricing method. The system is designed to be resilient, defaulting to the most reflective pricing sources as risk signals appear. The logic is illustrated in the following flow chart.

Risk Managed Feed1600×900 149 KB

The system operates as follows:

• It first checks Ethena’s core operational health by verifying if redemptions are being processed promptly and the mint/redeem buffer has been replenished to at least $2M over the last 50* blocks (~10 minutes). Suppose the redemption buffer is not being replenished on time. In that case, it indicates a severe operational issue, and the system switches to a market-based pricing source, a time-weighted USDe/USD market price oracle.
• If redemptions are operational, the system verifies Ethena’s Proof of Reserves (PoR) from the attestors - LlamaRisk, Chainlink, Chaos Labs & HT Digital - to check if the system is fully collateralized. If collateralization is below 1, it signifies a direct risk to USDe’s backing, and the system then defaults to a mechanism that defines USDe price as the latest USDe redemption rate returned in the Mint/Redeem contract. It is notable that due to the assumed staleness of Ethena’s PoR (currently reported at a 7-day frequency), the indicated collateralization cannot be taken as an accurate measure of the exact USDe backing level, needing to source the USDe backing rate from the Mint/Redeem contract.
• If redemptions and collateralization are healthy, it performs a final check on the live redemption rate from Ethena’s Mint/Redeem contract. If the rate is at or very near par, excluding the usual 10 bps redemption fee (>= 0.999) and gas costs (which are included in the exchange rate calculation), the system is considered fully healthy. Due to the gas cost impact on the exchange rate, a redemption size threshold would be applied. In this state, the oracle can use the most accurate of several price sources, either the currently used Chainlink USDT/USD price or an aggregate market price measure of the stable assets backing USDe and denominating the perpetual hedging pairs.
• If the redemption rate is below this threshold, the oracle will use it as the price source, again applying a redemption size threshold. In cases where the initial checks on redemptions or PoR reported collateralization fail, the system switches to a time-weighted USDe/USD oracle price, which is designed to handle market stress gracefully, not switching to a potentially more aggressive market price of USDe at an instant, but doing it gradually.

Note: Ethena has been briefed on the overall operational flow, and we are actively working with their team to align on all trigger conditions and parameterization to ensure high reliability of the dual price feed and the incorporated risk indicators.

Time-Based USDe Oracle

A key component of the stressed-condition response is the time-weighted oracle. This mechanism is designed to smooth out sudden, volatile price dislocations and protect the Aave protocol from the short-lived de-pegs observed historically. This is achieved using a specifically tuned exponential moving average (EMA) of the USDe/USD market price.

Instead of instantly adopting the new, lower market price during a de-peg, this oracle gradually moves the price from 1 USD toward the Chainlink USDe/USD market price. The adjustment is based on a simple formula where the new price is a weighted average of the current oracle and live market prices. This creates an exponential slope that allows the oracle to catch up to a sustained de-peg quickly but dampens the immediate impact of flash crashes, giving the market time to stabilize and preventing unwarranted liquidations.

Another effect of the gradual price move is making the positions liquidatable in increments, not aggressively at once. Based on our previous analysis, sharp depegs were observed not to have the immediate DEX liquidity depth required to support successful liquidations.

Aggregate Market Price Based on Backing Composition

Instead of relying on a single stablecoin (e.g., USDT) as a fallback reference, we propose an aggregate market‑price oracle constructed from the stable assets that back USDe or denominate the perpetual hedging pairs. The idea is straightforward: each constituent stablecoin or asset contributes to the reference price in proportion to its share of Ethena’s effective exposure. If USDT accounts for 50% of the combined backing and hedge‑denomination footprint, it receives a 50% weight; if USDC accounts for 20%, it receives a 20% weight; and so on for PYUSD, DAI, or other constituents. If significant, stETH/ETH internal exchange rate (and other LSTs) should be included in the aggregation, due to Ethena’s exposure to these LSTs as part of its hedging assets portfolio. The resulting index reflects the value of the collateral basket and the currency units in which hedge PnL accrues, producing a more accurate proxy for USDe’s underlying economics than any stable.

Weights would be sourced from Ethena’s reported backing composition, which is already published and can be consumed programmatically. The oracle ingests this composition on a regular cadence (daily by default) and can refresh more frequently if Ethena provides interim updates during periods of rapid rebalancing. For operational reasons, however, frequent updates to the rebalancing may not be possible. Between updates, the index prices each constituent using its respective Chainlink USD feed, applying the most recent weight vector. This approach keeps the price reference aligned with the real-time backing and hedge denomination mix without introducing undue operational churn.

Operationally, the aggregate index maintains the same trust assumptions as existing Chainlink feeds: constituent prices are read from Chainlink oracles, the weighting and aggregation are executed on a transparent contract, and all parameters and updates are emitted as on‑chain events. Governance and Guardians can set guardrails such as maximum per‑asset weights, minimum asset quality criteria, and failover behavior if a constituent feed is stale. This produces a robust, auditable fallback that tracks USDe’s effective exposure across the stablecoin complex rather than relying on any single asset.

Analysis & Takeaways

Our analysis of the proposed USDe Risk Managed Oracle validates the design via historical data and simulations. The system’s effectiveness is rooted in its use of verifiable, on-chain signals to inform its pricing and safety mechanisms.

A primary signal for the action-taking and pricing modules is the status of Ethena’s mint/redeem buffer. From a historical perspective, the contract shows a sole instance where the buffer was depleted, after which it was replenished within 98 blocks. Since that event, Ethena has adopted a more conservative management strategy, consistently maintaining a healthy buffer and even increasing its capitalization during periods of high redemption demand. This consistent operational performance is significant because a well-capitalized buffer ensures redemptions can be processed reliably and the value of USDe remains stable. This track record of stability validates using the buffer’s replenishment status as a dependable input for our proposed system. A failure to meet the replenishment threshold, as defined in the proposal, would serve as a clear, data-driven indicator of potential stress, allowing the system to take pre-emptive protective measures.

Replenishment Periods1600×1114 93.2 KB

This operational integrity is also reflected in the on-chain redemption rates. The redemptions are serviced at a constant 1:1 rate, deducting a 10 basis point fee and gas costs, leading to consistent values around the $0.9990 level. The stability of this rate provides a reliable proxy for USDe’s fundamental value, anchored directly to its backing assets rather than fluctuating secondary market sentiment. In scenarios where market prices become dislocated, this on-chain rate offers a stable valuation anchor in scenarios where market prices become dislocated, especially as the mint/redeem contract remains functional. The proposed oracle is designed to leverage this, incorporating an adjusted redemption rate as a pricing source under specific stress conditions. This ensures the system has a logical, economically grounded value to fall back on, preventing it from being immediately influenced by temporary market panic or pricing anomalies.

Backtesting the proposed pricing feeds reveals further insights into its expected functioning. During a recent de-peg event, the observed spread between USDe and USDT widened notably. This was caused by a decrease in USDe’s price and a simultaneous increase in USDT’s price, driven by high demand for stablecoins during market-wide liquidations. This event illustrates the limitations of a single-asset peg for an asset like USDe, whose backing is composed of multiple stablecoins. The proposed system addresses this by incorporating an aggregate stablecoin feed designed to reflect the composition of USDe’s backing more closely. By sourcing prices from a basket of assets (USDT, USDC, PYUSD) and LSTs’ internal exchange rates, the feed’s construction goes a step further: the weights of these assets would be dynamically adjusted based on Ethena’s reported backing data. This approach creates a price benchmark representing USDe’s actual collateral dependencies. Instead of enforcing a full correlation with a single asset like USDT, the oracle’s price would inherently reflect the weighted value of its true backing. Consequently, should an issue arise with a single constituent stablecoin, its impact on USDe’s valuation would be adequately weighted according to its share of the collateral, providing a more accurate risk assessment and a more resilient price feed than a simple peg to USDT.

Prices & Spread1600×768 88.8 KB

A central element for managing market stress within the proposal is the mechanism for transitioning the oracle’s price. A direct switch to a raw market price feed during volatility is suboptimal, as immediate price shocks on secondary markets are often more aggressive and rapid than any potential impairment to the underlying backing. To address this, the proposal utilizes a time-weighted price based on an Exponential Moving Average (EMA) to serve as a controlled, gradual smoothing mechanism. Our backtesting confirms that an EMA with a low alpha parameter (in the 0.05 to 0.1 range) is most effective. By design, a low-alpha EMA gives more weight to its stable historical price than to the most recent, and potentially volatile, market update. This means that a sudden, sharp price drop that quickly recovers—a common occurrence under volatile, stressful conditions—will have only a minimal impact on the oracle’s reported price. The system effectively waits for confirmation that a de-peg is sustained over time before it materially adjusts its valuation, thereby distinguishing between transient market noise and a genuine pricing dislocation.

Raw feed vs. EMA1600×880 189 KB

The practical implication of this EMA mechanism is improving user protection and protocol safety. As our simulations show, collateral positions are not immediately subject to liquidation during temporary de-pegs. This creates a critical buffer period, allowing time for market arbitrage to potentially restore the peg or for users to manage their positions by adding collateral. This design balances the protocol’s need to respond to genuine de-pegs while protecting users from forced liquidations caused by short-term volatility.

This deliberate stability, however, introduces a tradeoff that must be considered: the system’s response to a slow, protracted de-peg that falls outside the distribution of historical volatility. Feed updates would be infrequent if a de-peg were to develop slowly and remain just within the Chainlink feed’s 0.5% deviation threshold. As the final heatmap illustrates, with a low-alpha EMA, it could take numerous updates (>5) for the oracle price to catch up, creating a window where the spread between EMA and raw price is apparent.

This risk is substantially mitigated by the oracle’s design; the EMA does not operate in a vacuum. A genuine, prolonged de-peg is highly likely to manifest across metrics the system monitors, such as increased redemption pressure, declining mint/redeem buffer, or even a reported undercollateralization, triggering a protective freeze before significant bad debt can accrue. A second, more benign tradeoff is that the oracle price will also recover back to its peg more slowly after a stress event stabilizes. For Aave, this is an acceptable outcome, as the minimal resulting price spread would not create meaningful arbitrage opportunities or significantly lower the borrowing power of the collateral.

EMA Price Evolution970×699 61.3 KB

Conclusion and Next Steps

This proposal represents a significant evolution in how Aave manages the risks associated with integrated assets like USDe. By moving from a static peg to a dynamic, risk‑managed framework, Aave can better balance user protection with protocol solvency. The system combines a responsive pricing mechanism that adapts to conditions with a proactive circuit breaker that limits exposure when credible stress emerges.

We are working closely with Chainlink to implement both components—the risk‑managed feed and the action‑taking mechanism—so they share the same reliability, transparency, and operational discipline as the price oracles already trusted by Aave. The intent is to publish all inputs and state changes on-chain, preserving transparency while ensuring robust automation and liveness through Chainlink’s infrastructure.

We will also work closely with the Ethena team to identify operational limitations and set reasonable expectations for determining potential stress scenarios. Our highest priority is to advance Aave’s pricing strategies toward improved resilience in all scenarios while maintaining superior user assurances. Ensuring these qualities will require Ethena’s alignment with Aave risk service providers and their support for the final system design.

The immediate next steps are to finalize the system’s thresholds and integrate guardian‑controlled fallbacks. Guardians would retain the ability to override, freeze, or revert configuration in edge cases, keeping operational risk assumptions minimal and aligned with the current Chainlink oracle model on Aave. This approach improves risk management and capital efficiency while maintaining Aave’s open and permissionless nature. We welcome comments and discussion from the community and Aave’s service providers to refine the design and help the DAO make a measured, well‑informed decision.

Disclaimer

LlamaRisk has not been compensated by any third party for publishing this proposal. LlamaRisk serves as a member of Ethena’s risk committee. Both LlamaRisk and Chainlink Labs provide independent third-party verification for Ethena Proof of Reserve (PoR).

Next Steps

1. Publication of a standard ARFC, collect community & service providers’ feedback before escalating the proposal to the ARFC snapshot stage.
2. If the ARFC snapshot outcome is YAE, publish an AIP vote for final confirmation and enforcement of the proposal.

Copyright

Copyright and related rights waived via CC0

I’d like to express serious concerns about introducing a new Chainlink-based risk-managed oracle for USDe on Aave.

While I fully agree that risk management and solvency protection are critical, this particular oracle design appears to introduce more instability and user risk than it mitigates.

1. Proven Issues with Chainlink Oracles

Chainlink’s performance across DeFi has repeatedly shown reliability problems, especially for newer or synthetic assets.
We’ve seen undue liquidations on other money markets using Chainlink feeds for assets such as deUSD and USDO, driven by inaccurate or transient price updates.

The USDR Proof-of-Reserve feed maintained by Chainlink also turned out to be wrong for an extended period, leaving many holders exposed to a depegged “stablecoin.” These are not isolated incidents—they highlight systemic reliability risks.

More recently, a recent analysis made by Chaos Labs showed that the unreliability of Chainlink feeds during October 10th flashcrash caused millions in bad debt on Aave.

2. “Dynamic” USDe Pricing = False Precision

A dynamically priced oracle for a stablecoin might sound robust, but in practice it’s a collection of off-chain reporters posting inconsistent prices on-chain, disconnected from real redemption behavior.

USDe’s redemption mechanism has consistently held 1:1 parity, even during stress events. Yet a Chainlink-style oracle would have registered temporary “depegs” large enough to trigger unnecessary liquidations.

Ironically, hard-pegging USDe to USDT—while simplistic—has proven far more stable and predictable for Aave’s risk framework.

3. Lack of Backtesting or Quantitative Justification

Has any backtesting been performed to show how this oracle would have behaved during the two previous stress events?

• How many forced liquidations would have occurred?

• How much collateral would have been lost due to a 1 % “phantom” Chainlink deviation outside those 2 specific events?

Without data, we can’t claim this improves risk management. It instead seems to introduce oracle-driven volatility disconnected from actual redemption risk.

4. Broader Systemic Risk

Do we really want to introduce contagion to DeFi from misbehavior on a shady centralized exchange—the most heavily used one globally—by letting its price prints cascade into Aave through Chainlink’s aggregation layer?
That’s not risk mitigation; that’s importing CEX fragility directly into Aave’s collateral system.

5. User Impact and Protocol Health

As a user with non-negligible capital in PT loops operating with very low Health Factors (~1.0005 – 1.003), I rely on predictable, consistent oracle pricing.
Introducing noise into that system undermines both user confidence and Aave’s overall TVL stability. Ethena is one of Aave’s largest contributors—hurting its integration damages everyone.

6. Request to LlamaRisk and Governance

If LlamaRisk’s goal is truly to protect Aave’s solvency, I urge a re-evaluation of the Chainlink dependency.
Before implementing, please publish transparent simulations and backtests showing the effect of this oracle under stress. If those results can’t be shared, this proposal should not move forward.

Edited with the help of AI — otherwise this post would have been a lot less diplomatic toward both LlamaRisk and Chainlink.

So I think there are two sides of risk one has to look at when reading this proposal.

1. Aave protocol risk

2. User risk

3. Aave protocol risk
   This is the risk the protocol takes when choosing an asset and it’s associated oracle. If the oracle selection or behavior is wrong/bad this results in bad debt for the protocol, partially covered by Umbrella. As long as the bad debt can be repaid through Umbrella, treasury, etc. The protocol stays healthy and can be used in the future.

4. User risk
   This is the risk the lender is taking by putting his assets into Aave while trusting that a borrower will repay his loan on his own or by a liquidator repaying the loan on behalf of the borrower.
   Then there is the borrower side, where he trusts the protocol that the chosen oracle solution will make sure that the correct price is always reflected, making sure his HF is displayed correct and thus a liquidation will only happen if HF below 1.

Current solution:
USDe is pegged to USDT which is using the USDT/USD price feed. The risk with this price feed is in first place a major risk to the protocol IF Ethena’s backing has a problem. This could result in a real depegging event for USDe, but because Aave is using USDe/USDT as an oracle people could abuse this and take out loans against their depegged USDe token, leaving the protocol with bad debt as @LlamaRisk stated as high as 5.5bn$! In its current state (Umbrella and treasury) the Aave protocol would not be able to cover this deficit, on top of that the reputation of the Aave brand would be shattered.

In my opinion the proposed solution is a solution with which the DAO may could move forward. It reduces the risk for the protocol significantly but also making sure a user is safe as well.

@CryptoScam can you please provide sources for your claims regarding price feed misbehaviour, PoR problems?

@Chainlink_Labs @LlamaRisk could you please check these claims and answer?

Thank you

Hello,

Chaos Labs is the elected service provider of the Aave DAO, providing risk oracles for our protocol.

ACI is against expanding that scope to other providers, or we will need to reconsider the historical scope Chainlink has on price feeds for our protocol.

I would like to remind @LlamaRisk they’re on the Aave DAO payroll.

In addition to the various risk factors discussed above, USDT itself pose a systematic risks. Please be reminded that USDT depegged few times during 2022-2025.

This is definitely a good step toward be responsible to all stakeholders.( AAVE and LPs).

The way Chainlink oracles perform at Oct 11 event (esp for these long tail assets) caused many LPs to suffers unnecessary liquidations. There is another thread which some borrowers lost their life savings in AAVE.

All the SPs are payed by the DAO. The AAVE Dao’s revenue is coming the from Protocol LPs/borrowers. It’s necessary the have a thorough examination and discussion on the oracles methodology so all the stakeholder are to be taken care of. Until a more comprehensive and complete solution is found, the freeze guardian set up is in the good direction to protect stakeholder’s interest.

Hello @LlamaRisk thanks for putting the proposal further. How does this differ from the Chaos Labs risk oracles? and also given that Chaos Labs has already remit on the topic, I want to avoid duplicated work and rather see consolidated contributions.

My main concern is that Chaos has been dedicating resources on the topic to improve the system, ofc Llamarisk has been active early on and contributing.

Thank you all for the valuable feedback on this proposal.

This is an early-stage proposal intended to start a discussion, and we appreciate the community’s input. We agree that a consolidated effort is the best path forward to avoid duplicating work.

We firmly believe the Aave DAO would benefit from additional safeguards to mitigate the significant risks highlighted. To that end, we remain committed to working collaboratively with the DAO’s elected service providers.

Moving forward, we will focus on supporting this initiative by contributing our research and analysis.

Overview

We appreciate the motivation behind this proposal, which aims to strengthen Aave’s resilience in the face of potential USDe-related volatility and to introduce automated, risk-managed safeguards around collateral pricing and exposure control. The recent market events that prompted this discussion have indeed highlighted the importance of improving response mechanisms to asset-specific stress and ensuring that Aave can protect solvency without compromising user stability.

However, while the intent is valid, the proposed framework is both technically and structurally unsuitable for Aave’s architecture and governance model. The system introduces overlapping control layers, blends data provision with risk policy execution, and in practice would create new sources of fragility precisely in the scenarios it aims to mitigate. From a design standpoint, Aave already operates with deep internal buffers, deterministic oracle controls, and privileged redemption capabilities that make a separate market-based “circuit breaker” both redundant and potentially harmful.

Finally, this proposal duplicates work that has already been designed, reviewed, and partially implemented under the DAO’s current mandate. Chaos Labs has been crafting a complete operational pathway that addresses precisely the same risks via USDe, sUSDe, and PT exposures, through a deterministic on-chain system that can redeem, transform, and neutralize collateralized positions without relying on speculative price switching. That existing system, described in detail below, provides stronger solvency guarantees, transparent governance control, and no additional trust assumptions.

For these reasons, we strongly recommend against adopting the framework proposed here. Instead, the DAO should continue to advance the already-approved and technically sound solution developed by Chaos Labs, which achieves the same objectives with greater precision and alignment to Aave’s architecture.

Technical Flaws in the Proposed System

From a technical perspective, the proposed risk-managed oracle and automated freeze guardian introduce structural fragility into Aave’s risk model. The design’s assumptions about price formation, redemption mechanics, and market-signal reliability are misaligned with how Aave actually holds and liquidates exposure. In practice, these mechanisms would over-react to transient conditions, embedding volatility into the oracle layer and creating bad debt precisely when fundamental backing remains sound.

Market fallback during exchange or infrastructure failure is procyclical and misprices solvency

The proposed system switches to a market-weighted price feed whenever Ethena’s redemption buffer is not replenished within a fixed time window. In theory, this appears protective; in practice, it is most dangerous exactly when invoked. During an exchange outage, exploit, or network congestion event, the probability that the redemption buffer fails to replenish is highest, even if Ethena’s collateral backing remains fully intact. Simultaneously, the live market price of USDe on centralized venues becomes distorted, as price oracles overweight the same impaired venues, driving the liquidity freeze.

In such moments, the fallback logic guarantees a procyclical failure: the oracle downweights the true fundamental value and replaces it with a distressed market rate derived from illiquid or dysfunctional venues. This is not hypothetical; the exact mechanism was modeled in Stress Testing Ethena: A Quantitative Look at Protocol Stability, which showed that exchange-specific events can push Chainlink-quoted USDe prices materially below redemption value even while Ethena’s effective collateral ratio remains above 100 percent, as observed in the Bybit Security Event on February 21st, 2025, when the Chainlink USDe/USD price reached as low as $0.977. For Aave, which holds large derivative exposure through sUSDe and PT tokens, such a substitution would trigger cascading liquidations and artificial bad debt, despite the underlying asset being fully redeemable once operational latency is cleared.

image1992×992 66.2 KB

The flaw arises from conflating redemption latency with solvency impairment. For instance, Ethena’s off-exchange settlement architecture is specifically designed to prevent collateral loss in such cases: backing assets are custodied with Copper and Ceffu, not on exchanges, and can be nullified or closed at the last reconciled mark after a short sequence of missed settlement rounds. During this nullification window, unrealized PnL from the failed venue is temporarily inaccessible, creating an unhedged notional gap. The rational response is to restore delta-neutrality pre-emptively on functioning exchanges rather than waiting passively for nullification.

image712×246 30.9 KB

image (1)1996×1180 367 KB

This re-hedging step necessarily draws from the same liquidity pool that feeds Ethena’s redemption buffer. During the brief interval in which stablecoins are posted as margin, redemptions may appear under-provisioned; however, this is an intended safety trade-off: the system utilizes immediate liquidity to defend the aggregate backing value rather than idly maintaining redemption depth. From a risk-management perspective, this reallocation maximizes protocol safety by stabilizing the hedge, minimizing expected PnL loss, and restoring delta-neutrality within hours. Once nullification releases the immobilized collateral, margin capital is withdrawn and redeployed to redemption buffers, restoring full convertibility.

A market-fallback oracle, however, misreads this capital-efficient behavior as distress. Because redemption liquidity is temporarily constrained, the oracle would interpret the buffer shortfall as a trigger condition and begin incorporating exchange-quoted USDe prices that are, at that moment, depressed by the very outage Ethena is mitigating. The result is a circular feedback loop: Ethena diverts stablecoins to defend NAV, the oracle interprets that diversion as evidence of insolvency, and Aave marks collateral to the distressed market prints, locking in a transient exchange failure as protocol-level loss.

The correct control surface, therefore, is not an automated price fallback keyed to redemption-buffer status but a deterministic redemption-anchored liquidation pathway. This preserves solvency even when Ethena reallocates stablecoins to margin, tolerates transient reductions in redemption depth, and ensures Aave realizes value at the true economic backing rather than at distressed market marks. Any mechanism that “follows the tape” during such operational windows undermines Aave’s intrinsic buffers and converts reversible exchange dislocations into permanent protocol losses.

Duration Risk and Maturity Structure

The proposal’s pricing framework treats the temporary absence of immediate redemption liquidity in USDe as a condition requiring oracle intervention. This interpretation is fundamentally inconsistent with how Aave values other collateral types, and it represents a regression in the protocol’s asset-class treatment standards.

A temporary delay in redemption processing, whether due to exchange latency, rebalancing cycles, or queue backlogs, does not inherently constitute a change in economic value. It is simply a liquidity-timing phenomenon. If the proposed logic were applied consistently, then, by the same reasoning, Aave would need to reprice every collateral asset that lacks instantaneous liquidity, including LSTs, LRTs, and strategy-backed tokens such as syrupUSDT, as well as other structured yield assets with considerable demand. All of these exhibit redemption delays, off-chain dependencies, or asynchronous rebalancing, some extending to 30–50 days or more during periods of high validator exits or market congestion.

Yet in all these cases, Aave does not and should not rely on market price volatility as a valuation input. These assets are valued through exchange-rate oracles that reflect the deterministic claim on underlying assets over time, not through reactive market feeds that mirror temporary liquidity premiums or discounts. This approach has proven robust: it ensures that users, the underlying protocol, and more importantly, Aave, are not punished for predictable, time-bound illiquidity while the protocol remains protected through conservative LTVs, liquidation thresholds, and reserve caps calibrated to each asset’s liquidity profile.

Changing USDe’s oracle pricing logic merely because its redemption pathway is temporarily slower undermines this principle. It would imply that the protocol should dynamically mark down any collateral whose redemption is not immediately executable, a stance that is economically incoherent and operationally dangerous. The absence of instantaneous convertibility does not signal impaired backing; it reflects the same type of structured liquidity latency inherent in most yield-bearing DeFi primitives.

Aave’s established practice, anchoring collateral valuation to deterministic exchange rates or on-chain accounting rather than to panic-driven secondary markets, has repeatedly shielded the protocol from cascading liquidations during stress events. By contrast, the proposed system would abandon this proven model in favor of a design that treats transient redemption delay as solvency deterioration, triggering unnecessary repricing, liquidations, and potential bad debt. As detailed in the following sections, the appropriate way to manage and offload debt positions tied to such duration or redemption latency is through a novel redemption-anchored liquidation and offloading framework developed by Chaos Labs and BGD, which preserves solvency and composability without distorting on-chain pricing. This framework was previously introduced in the “Strengthening Stability Between Aave and Ethena: Redemption Priority and Protocol Safeguards” research piece.

Dependence on Ethena’s Redemption Infrastructure

The proposal’s reliance on Ethena’s on-chain redemption infrastructure as a determinant for Aave’s pricing logic introduces a dangerous coupling between two systems with fundamentally different mandates. While freezing markets under clear stress conditions can be justified, using Ethena’s instantaneous redemption rate as a live pricing input for Aave is economically unsound and structurally unsafe.

In periods of market stress or exchange disruption, Ethena’s risk management model must act defensively. When hedging capacity tightens or portions of collateral are temporarily locked in custodial settlement, Ethena has a rational incentive to publish a redemption rate that is deliberately conservative relative to fundamental NAV. In practice, during an exchange failure this redemption quote functions as a lower bound or worst‑case executable price that preserves solvency while settlement paths are impaired. The event itself is discrete rather than a source of continuous loss; once the outage is resolved and positions are rebalanced, the residual backing and any realized loss can be measured precisely.

Keying Aave’s oracle or liquidation logic directly to that worst‑case bound is therefore counter‑productive. Doing so crystallizes a temporary precautionary measure into a mechanical collateral markdown, interpreting Ethena’s internal caution as an external solvency impairment. This would cause Aave to mark down USDe and derivative collateral precisely when Ethena is acting to preserve its own stability, triggering unnecessary liquidations and artificial deleveraging across Aave markets and Ethena alike.

The core issue is that Ethena’s redemption rate reflects system posture, not market value. It encodes operational conservatism, and it can be intentionally biased downward to protect Ethena during short‑lived disruptions. Anchoring Aave’s oracle to that rate means Aave’s solvency engine becomes sensitive to Ethena’s internal control signals; throttling, hedging lags, or custodial latency, none of which imply an actual impairment to the underlying collateral’s value.

Beyond the economic distortion, this design also introduces a direct technical dependency on the Ethena protocol’s infrastructure. The oracle’s pricing behavior becomes contingent on continuous, accurate reporting from Ethena’s mint/redeem contract. RPC desynchronization, API inconsistencies, or keeper failures may result in stale or corrupted redemption data being interpreted as genuine, leading to erroneous oracle updates. In effect, a single missed or misreported contract update on Ethena’s side could propagate instantly into Aave’s core solvency logic.

This combination of economic coupling and technical reliance makes Aave’s oracle behavior both fragile and externally dependent. Aave’s pricing mechanisms must remain insulated from the operational state and telemetry quality of any external protocol, particularly one whose reporting infrastructure can lag, misreport, or intentionally bias parameters for risk control.

Overlapping and conflicting control surfaces

Aave operates under a single-provider model across its oracle stack. Chainlink is the protocol’s exclusive price data provider, and Chaos Labs is the protocol’s exclusive risk oracle provider. The system proposed here directly overlaps with Chaos Labs’ mandate. It embeds automated risk logic, including stress detection, freeze triggers, and collateral repricing, within Chainlink’s oracle framework. These functions already exist within the Aave risk oracle architecture, which Chaos Labs operates. Re-implementing them elsewhere is redundant and inconsistent with Aave’s established structure.

Aave’s risk oracles already monitor asset health, backing composition, and redemption conditions, and can trigger controlled responses such as freezes or repricing when warranted. Introducing a second mechanism under a different provider would fragment the system, create conflicting triggers, and erode the single-source-of-truth model that the DAO has deliberately built around its risk layer.

For canonical Aave deployments, Chaos Labs is the sole risk oracle provider, just as Chainlink is the sole price data provider. That structure reflects both design intent and operational precedent. If the DAO wishes to reopen the scope of all service providers on merit, Chaos Labs welcomes it, although we expect the results to reaffirm the efficiency and coherence of the current model.

The Implemented Alternative: Aave’s Complete Operational Pathway

The system is built around a simple principle: use Aave’s whitelisted redeemer privilege to deterministically transform USDe-exposed collateral into base stablecoins, honoring Ethena’s operational limits and each asset’s time profile (instant USDe, 7-day sUSDe, maturity-bound PTs). Where assets are not instantly redeemable (such as sUSDe; PTs before maturity), the system tokenizes the waiting period into a strictly accounted collateral note (cUSDe7D) and settles as soon as the underlying becomes available. Notably, this design generalizes cleanly to any yield-bearing or redemption-delayed collateral type, such as LSTs, LRTs, or structured yield tokens, thereby providing Aave with a novel, deterministic framework for managing assets with embedded duration risk.

Architecture and Trust Boundaries

At the heart of the system are two contracts and one non-privileged off-chain coordinator. The Redeemer Executor, better known as a clinicSteward, is an on-chain module that composes Aave v3’s pool actions (repay, liquidate, supply, withdraw, borrow) with Ethena’s redeem calls and a flash-loan callback. It performs atomic loops that begin with a flash loan, transform collateral, and end in the same block with the loan repaid. It does not hold assets across blocks.

The sUSDe Cooldown Wrapper is a minimal ERC-20 that mints cUSDe7D against sUSDe sent to it, starts Ethena’s cooldown via cooldownShares(), and after the unlockAt time calls unstake() to receive USDe which it immediately redeems to USDC/USDT and uses to repay debt. A Keeper/Steward runs off-chain and is never a trust root: it selects targets, sizes transactions to depth and quotas, and schedules harvests; the on-chain modules enforce all quotas, pauses, and invariants regardless of the Keeper’s behavior.

Oracle Modes and Signals

The system operates under two oracle regimes: par-anchored and redemption-anchored, each serving distinct operational contexts.

• USDT-Anchored Mode (Default):

  When Ethena maintains full collateralization and redemptions function normally, the oracle references the standard stable feed(s). This mode intentionally disregards short-term redemption latency or secondary market noise, reflecting the economically correct assumption that USDe remains fully redeemable at par.

• PoR-Anchored Mode (Activated Under Stress):

  When Proof-of-Reserves (PoR) attestors (e.g., Chaos Labs, Chainlink, LlamaRisk, HT Digital) detect a fundamental deviation or abnormality in USDe’s backing, Chaos Labs’ risk oracle immediately halts relevant Aave markets to prevent arbitrage and price-manipulation risk. This switch occurs under any of the following verified triggers:

  • PoR attestors confirm impairment in backing or a depeg in fundamental value.
  • The effective volume-weighted average redemption rate drops below a predefined operational threshold (e.g., $0.995 for meaningful size).
  • The redemption buffer remains unreplenished for longer than a fixed grace period or the Mint and Redeem contract is paused.

  Once the exchange stress period has passed, the oracle recalibrates to the realized, redeemer-permissioned, intrinsic value of USDe. This adjusted price is applied atomically within the same block that executes collateral offloading, ensuring that liquidations and redeems occur at a fair fundamental value rather than reflecting secondary market volatility. After offloading is complete, markets remain frozen pending governance review.

  Because the exchange-failure event is discrete, Aave is not forced to transact at the temporary worst-case bound redemption rate reflected in the redemption rate. After such an event, the economically optimal path is to wait until post‑event reconciliation, when the remaining backing and any realized loss are accurately reflected.

  1. Excess Refunds: If the redemption rate is overstated, resulting in over-redemption, users receive the surplus once reconciled.
  2. Atomic Reversion: If the redemption rate is understated or fails, the entire flash-loan transaction reverts and no state change occurs.

  When the mint/redeem contract’s redemption rate is so conservative that the realized proceeds, net of Ethena’s redemption fee, cannot be covered by the newly set liquidation bonus, the liquidation becomes unprofitable and the atomic loop reverts. Given that the liquidation bonus is configured below the redemption fee, an attempt to execute at prices beneath this bound cannot clear; the transaction reverts, and no state change occurs. This creates an implicit lower bound on executable liquidations, preventing Aave from realizing losses at distressed redemption rates. The excess‑refund safeguard still applies if, conversely, the redemption rate is temporarily overstated.

USDe (Vanilla) End-to-End Lifecycle

When a USDe-backed position trends unhealthy, the Redeemer Executor runs a single-block loop. It updates the oracle price of USDe in accordance with its realized fundamental value, takes a flash-loan in the borrower’s debt asset, repays or partially liquidates to seize USDe collateral, immediately calls Ethena’s redeem path using Aave’s whitelisted identity, and receives USDC/USDT subject to maxRedeemPerBlock and repays the flash loan plus fee with the received funds. If the per-block redemption quota is insufficient to fully neutralize the position in one shot, subject to Close Factor constraints, the executor records the residual requirement in an internal quota book, and the system re-targets the same address on subsequent blocks. The mechanism is fully deterministic; it always operates at a derived, realizable redemption value rather than any secondary market price, and thus collapses exposure to the exact redeemable value of the collateral, not an estimate.

sUSDe Lifecycle and the cUSDe7D Note

sUSDe introduces a 7-day unstaking delay, which poses a duration risk to Aave’s solvency surface. To remove this illiquidity while preserving value continuity, the sUSDe Cooldown Wrapper collateralizes the waiting period itself by tokenizing it into a transferable, time-bound note: cUSDe7D.

T₀ Transaction: Tokenized Cooldown (Single-Block, Capital-Neutral Execution)

The process begins when the Redeemer Executor detects an unhealthy position backed by sUSDe. The executor opens a flash-loan in the user’s debt asset (USDC or USDT) and uses it to either partially liquidate the position or execute a repay-on-behalf operation until the user’s Health Factor (HF) is safely above 1.0.

As part of that transaction, the executor seizes the user’s sUSDe collateral, either directly via liquidation or, in a proactive refinancing path, by transferring aTokens from the user through permit and transferFrom. The seized sUSDe is immediately sent to the sUSDeCooldownWrapper, which invokes cooldownShares() on Ethena. This initiates the seven-day unstaking process and, in return, mints cUSDe7D tokens to the protocol in a 1:1 ratio to the expected USDe output of that batch (accounting for any fees or operational haircuts).

The newly minted cUSDe7D is then supplied to Aave on behalf of the user, replacing the original sUSDe collateral. Borrowing against cUSDe7D is disabled, and its LTV is reduced to zero immediately after the swap, ensuring that it provides no incremental borrow power. To close the loop, the executor re-borrows the same amount of the debt stable on behalf of the user and uses it to repay the flash-loan plus fees within the same block.

At the end of the transaction:

• The user’s debt remains unchanged, but their collateral now consists of cUSDe7D, a tokenized representation of USDe in cooldown.
• Aave’s net position is flat; no treasury funds or extra capital are used.
• The seven-day illiquidity is isolated and fully contained within the wrapper, modeled as time-locked collateral rather than an unpriced risk.

T + 7 Days: Harvest and Redemption Settlement

When the cooldown period expires, the Keeper triggers settlement by calling harvest() on the wrapper. The wrapper then executes unstake() to claim the matured USDe and immediately redeems it through Aave’s whitelisted path into USDC or USDT, observing the per-block redemption quota.

The proceeds are used to repay the corresponding portion of the user’s debt:

• The wrapper burns the equivalent amount of cUSDe7D (held as aToken collateral).
• The redeemed stablecoins flow directly into repayment, closing out that portion of the position.

This process effectively mirrors the USDe fast-path described earlier, but substitutes matured cUSDe7D for immediately redeemable USDe. Any excess proceeds can be returned to the user, with the liquidation bonus revenue routed to protocol reserves.

PT USDe and PT sUSDe Lifecycles

Pendle PTs are treated as strictly maturity-bound instruments. The system does not rely on AMM or orderbook liquidity to unwind PT positions prior to expiry, as secondary markets are often thin or unreliable during stress events. Instead, all PTs are held to maturity, at which point they are deterministically redeemed for their underlying assets without market risk or price impact.

Upon redemption, PT USDe transitions directly into the standard USDe liquidation flow (Flow A), executing an atomic offload through the whitelisted redeemer path. PT sUSDe, meanwhile, converts into sUSDe at maturity and subsequently enters the 7-day cooldown transformation path (Flow B), where it is tokenized into cUSDe7D notes.

During extended periods of PT accumulation, the system can adjust interest rate curves and borrow caps to reflect reduced offload velocity and prevent an excessive buildup of duration-bound exposure. This ensures that maturity synchronization, rather than secondary liquidity, governs the pace of unwind, maintaining deterministic recovery and minimizing slippage or systemic feedback loops.

Parameterization and Governance Knobs

Governance owns the oracle mode, liquidation bonus, caps, IR curves, and wrapper/reserve whitelists. In practice, the LB is set relatively low (≈ 0.5%) when the Redeemer path is used, as the protocol bears no external liquidator risk barring redemptions do not go smoothly. This prevents over-taxing users while still compensating for operational costs. Supply caps for cUSDe7D are typically set to the current supply immediately after each swap, effectively locking in growth and ensuring no third party expands the reserve. Borrowing is disabled on cUSDe7D; LTV is granted only intra-tx (one block) to permit the re-borrow step that repays the flash-loan, then set to zero to prevent further leverage. In practice, the cUSDe7D market remains paused throughout the cooldown period, making the underlying oracle reference effectively irrelevant. Because no user actions, such as borrowing, supplying, or liquidating, are permitted while the market is paused, there is no operational dependency on real-time pricing. The oracle remains configured for consistency, but its value does not influence protocol behavior until redemption completes and collateral reverts to liquid USDe or stables.

Because rate surfaces influence utilization and thus redemption pressure, the risk steward can dampen the IR curve on USDe and thus relevant PTs during stress to minimize the effective amplified net negative debt accrual stemming from the aforementioned utilization rate scaling, though the recent introduction of the Slope2 risk oracle generally neutralizes such stress at the base level.

Solvency Math and Sizing

Motivation Behind Collateral “Reimbursement” in cUSDe7D Notes

The core motivation for reimbursing users in cUSDe7D notes rather than constructing new cUSDe7D-backed positions stemming from the Redeemer Liquidator itself is to preserve the integrity of the aggregate collateral buffer during periods of further fundamental backing loss. From Aave’s perspective, creating a new position mid-cooldown effectively splits a single collateralized account into two independent legs, each with its own solvency boundary; a structure that mathematically increases expected bad debt under further collateral deterioration.

image705×606 67.9 KB

The protocol registers bad debt where none previously existed, solely due to the fragmentation of the collateral buffer. A generalized visualization of this phenomenon can be observed below:

image (2)1937×1372 188 KB

Close Factor Implications

image712×400 49.9 KB

output - 2025-08-31T165238.787 (1)1773×1242 151 KB

Conclusion

The need for a reliable system to strengthen Aave’s resilience during potential USDe-related volatility and backing losses is, and should remain, a priority for the DAO. However, the framework design should be implemented in a way that mitigates existing risks rather than exacerbating them.

The proposed solution is unsuitable as during USDe-related stress, particularly exchange failures, secondary markets, and redemption rates can diverge from realizable backing. If propagated into Aave via market-following oracles, it can induce unnecessary bad debt. Additionally, the system introduces overlapping control layers, blends data provision with risk policy execution, and in practice would create new sources of fragility precisely in the scenarios it aims to mitigate.

On the contrary, the framework developed in collaboration with BGD provides a deterministic, capital-neutral path to unwind USDe exposure at its realizable value, while cleanly modeling redemption latency via cUSDe7D, ensuring solvency isn’t hostage to secondary-market noise. It preserves the single, shared collateral buffer, avoids bad-debt convexity from position fragmentation, and executes atomically under the risk oracle’s control with clear auditability.

Critically, the pattern is general: the same wrapper-plus-redeemer architecture extends to virtually any asset with duration risk, including LSTs, LRTs, PTs, and other yield-bearing or redemption-delayed collateral, giving Aave a unified, composable framework to manage time-locked value without externalizing risk.

This part is intentionally deceptive enough that I question the driving forces behind @LlamaRisk making this proposal. It would normally dent my faith in defi governance, but I’ve been impressed by the response to the proposal so far.

If there’s one thing to take away from this proposal, it should be the unacceptable conflict of interest.

edit to add: if Cloaky were here this would not be tolerated

Some key questions are still unanswered.

The above “The Implemented Alternative: Aave’s Complete Operational Pathway” have key risks identified as well.

For ease of reading, here is the list- It non exhaust and will be edited when new risks are identified.

1- Currently the published attestations is 31st Oct 2025 in Chaoslab and Ethena’s website. How often is the attestation done? Is the backing monitoring real time? Or the attestations are done weekly/bi weekly like what have been published.

2- In the described framework, It still relays on a predefined permissioned process.In “PoR-Anchored Mode (Activated Under Stress)", the attestor’s output will plays a key role in how the aave protocol respond. This is the time when the protocol is under stress. The whole aave stakeholder will relay on the attestor’s good faith actions to survive.

3- The process fail to address how to prevent the AAVE from large loss when USDe backing impairment is real and meaningful. Please be reminded that some of the USDe’ custody is Ceffu which is owned by Binance. Binance failed in Oct 11st 2025 pathetically in addition to the numerous operational failure in its history . If any failure happen in Ceffu in future, it will not be a surprise. The backing loss could come from Ethena side or its custodian like Ceffu.

The Chaos lab solution only define a permissioned process how the protocol will react when the USDe backing impairment occur. From the perspective of LPs and AAVE token holders, such solution doesn’t make any big difference comparing to the proposed temporarily solution by Llamarisk.

4- No matter how many your arguments are, hard code USDE with USDT makes USDE a derivative of USDT. USDT have depeged murderous times, how to manage such risk is still a big question to be answered.

Are you referring to the fact that both risk managers here are financially involved in Ethena operations, and cannot be considered impartial? Which I think further raises the need for a neutral third-party input on the subject.