[ARFC] Ethena USDe Risk Oracle and Automated Freeze Guardian

Governance
8

Overview

We appreciate the motivation behind this proposal, which aims to strengthen Aave’s resilience in the face of potential USDe-related volatility and to introduce automated, risk-managed safeguards around collateral pricing and exposure control. The recent market events that prompted this discussion have indeed highlighted the importance of improving response mechanisms to asset-specific stress and ensuring that Aave can protect solvency without compromising user stability.

However, while the intent is valid, the proposed framework is both technically and structurally unsuitable for Aave’s architecture and governance model. The system introduces overlapping control layers, blends data provision with risk policy execution, and in practice would create new sources of fragility precisely in the scenarios it aims to mitigate. From a design standpoint, Aave already operates with deep internal buffers, deterministic oracle controls, and privileged redemption capabilities that make a separate market-based “circuit breaker” both redundant and potentially harmful.

Finally, this proposal duplicates work that has already been designed, reviewed, and partially implemented under the DAO’s current mandate. Chaos Labs has been crafting a complete operational pathway that addresses precisely the same risks via USDe, sUSDe, and PT exposures, through a deterministic on-chain system that can redeem, transform, and neutralize collateralized positions without relying on speculative price switching. That existing system, described in detail below, provides stronger solvency guarantees, transparent governance control, and no additional trust assumptions.

For these reasons, we strongly recommend against adopting the framework proposed here. Instead, the DAO should continue to advance the already-approved and technically sound solution developed by Chaos Labs, which achieves the same objectives with greater precision and alignment to Aave’s architecture.

Technical Flaws in the Proposed System

From a technical perspective, the proposed risk-managed oracle and automated freeze guardian introduce structural fragility into Aave’s risk model. The design’s assumptions about price formation, redemption mechanics, and market-signal reliability are misaligned with how Aave actually holds and liquidates exposure. In practice, these mechanisms would over-react to transient conditions, embedding volatility into the oracle layer and creating bad debt precisely when fundamental backing remains sound.

Market fallback during exchange or infrastructure failure is procyclical and misprices solvency

The proposed system switches to a market-weighted price feed whenever Ethena’s redemption buffer is not replenished within a fixed time window. In theory, this appears protective; in practice, it is most dangerous exactly when invoked. During an exchange outage, exploit, or network congestion event, the probability that the redemption buffer fails to replenish is highest, even if Ethena’s collateral backing remains fully intact. Simultaneously, the live market price of USDe on centralized venues becomes distorted, as price oracles overweight the same impaired venues, driving the liquidity freeze.

In such moments, the fallback logic guarantees a procyclical failure: the oracle downweights the true fundamental value and replaces it with a distressed market rate derived from illiquid or dysfunctional venues. This is not hypothetical; the exact mechanism was modeled in Stress Testing Ethena: A Quantitative Look at Protocol Stability, which showed that exchange-specific events can push Chainlink-quoted USDe prices materially below redemption value even while Ethena’s effective collateral ratio remains above 100 percent, as observed in the Bybit Security Event on February 21st, 2025, when the Chainlink USDe/USD price reached as low as $0.977. For Aave, which holds large derivative exposure through sUSDe and PT tokens, such a substitution would trigger cascading liquidations and artificial bad debt, despite the underlying asset being fully redeemable once operational latency is cleared.

image
image1992×992 66.2 KB

The flaw arises from conflating redemption latency with solvency impairment. For instance, Ethena’s off-exchange settlement architecture is specifically designed to prevent collateral loss in such cases: backing assets are custodied with Copper and Ceffu, not on exchanges, and can be nullified or closed at the last reconciled mark after a short sequence of missed settlement rounds. During this nullification window, unrealized PnL from the failed venue is temporarily inaccessible, creating an unhedged notional gap. The rational response is to restore delta-neutrality pre-emptively on functioning exchanges rather than waiting passively for nullification.

image
image712×246 30.9 KB

image (1)
image (1)1996×1180 367 KB

This re-hedging step necessarily draws from the same liquidity pool that feeds Ethena’s redemption buffer. During the brief interval in which stablecoins are posted as margin, redemptions may appear under-provisioned; however, this is an intended safety trade-off: the system utilizes immediate liquidity to defend the aggregate backing value rather than idly maintaining redemption depth. From a risk-management perspective, this reallocation maximizes protocol safety by stabilizing the hedge, minimizing expected PnL loss, and restoring delta-neutrality within hours. Once nullification releases the immobilized collateral, margin capital is withdrawn and redeployed to redemption buffers, restoring full convertibility.

A market-fallback oracle, however, misreads this capital-efficient behavior as distress. Because redemption liquidity is temporarily constrained, the oracle would interpret the buffer shortfall as a trigger condition and begin incorporating exchange-quoted USDe prices that are, at that moment, depressed by the very outage Ethena is mitigating. The result is a circular feedback loop: Ethena diverts stablecoins to defend NAV, the oracle interprets that diversion as evidence of insolvency, and Aave marks collateral to the distressed market prints, locking in a transient exchange failure as protocol-level loss.

The correct control surface, therefore, is not an automated price fallback keyed to redemption-buffer status but a deterministic redemption-anchored liquidation pathway. This preserves solvency even when Ethena reallocates stablecoins to margin, tolerates transient reductions in redemption depth, and ensures Aave realizes value at the true economic backing rather than at distressed market marks. Any mechanism that “follows the tape” during such operational windows undermines Aave’s intrinsic buffers and converts reversible exchange dislocations into permanent protocol losses.

Duration Risk and Maturity Structure

The proposal’s pricing framework treats the temporary absence of immediate redemption liquidity in USDe as a condition requiring oracle intervention. This interpretation is fundamentally inconsistent with how Aave values other collateral types, and it represents a regression in the protocol’s asset-class treatment standards.

A temporary delay in redemption processing, whether due to exchange latency, rebalancing cycles, or queue backlogs, does not inherently constitute a change in economic value. It is simply a liquidity-timing phenomenon. If the proposed logic were applied consistently, then, by the same reasoning, Aave would need to reprice every collateral asset that lacks instantaneous liquidity, including LSTs, LRTs, and strategy-backed tokens such as syrupUSDT, as well as other structured yield assets with considerable demand. All of these exhibit redemption delays, off-chain dependencies, or asynchronous rebalancing, some extending to 30–50 days or more during periods of high validator exits or market congestion.

Yet in all these cases, Aave does not and should not rely on market price volatility as a valuation input. These assets are valued through exchange-rate oracles that reflect the deterministic claim on underlying assets over time, not through reactive market feeds that mirror temporary liquidity premiums or discounts. This approach has proven robust: it ensures that users, the underlying protocol, and more importantly, Aave, are not punished for predictable, time-bound illiquidity while the protocol remains protected through conservative LTVs, liquidation thresholds, and reserve caps calibrated to each asset’s liquidity profile.

Changing USDe’s oracle pricing logic merely because its redemption pathway is temporarily slower undermines this principle. It would imply that the protocol should dynamically mark down any collateral whose redemption is not immediately executable, a stance that is economically incoherent and operationally dangerous. The absence of instantaneous convertibility does not signal impaired backing; it reflects the same type of structured liquidity latency inherent in most yield-bearing DeFi primitives.

Aave’s established practice, anchoring collateral valuation to deterministic exchange rates or on-chain accounting rather than to panic-driven secondary markets, has repeatedly shielded the protocol from cascading liquidations during stress events. By contrast, the proposed system would abandon this proven model in favor of a design that treats transient redemption delay as solvency deterioration, triggering unnecessary repricing, liquidations, and potential bad debt. As detailed in the following sections, the appropriate way to manage and offload debt positions tied to such duration or redemption latency is through a novel redemption-anchored liquidation and offloading framework developed by Chaos Labs and BGD, which preserves solvency and composability without distorting on-chain pricing. This framework was previously introduced in the “Strengthening Stability Between Aave and Ethena: Redemption Priority and Protocol Safeguards” research piece.

Dependence on Ethena’s Redemption Infrastructure

The proposal’s reliance on Ethena’s on-chain redemption infrastructure as a determinant for Aave’s pricing logic introduces a dangerous coupling between two systems with fundamentally different mandates. While freezing markets under clear stress conditions can be justified, using Ethena’s instantaneous redemption rate as a live pricing input for Aave is economically unsound and structurally unsafe.

In periods of market stress or exchange disruption, Ethena’s risk management model must act defensively. When hedging capacity tightens or portions of collateral are temporarily locked in custodial settlement, Ethena has a rational incentive to publish a redemption rate that is deliberately conservative relative to fundamental NAV. In practice, during an exchange failure this redemption quote functions as a lower bound or worst‑case executable price that preserves solvency while settlement paths are impaired. The event itself is discrete rather than a source of continuous loss; once the outage is resolved and positions are rebalanced, the residual backing and any realized loss can be measured precisely.

Keying Aave’s oracle or liquidation logic directly to that worst‑case bound is therefore counter‑productive. Doing so crystallizes a temporary precautionary measure into a mechanical collateral markdown, interpreting Ethena’s internal caution as an external solvency impairment. This would cause Aave to mark down USDe and derivative collateral precisely when Ethena is acting to preserve its own stability, triggering unnecessary liquidations and artificial deleveraging across Aave markets and Ethena alike.

The core issue is that Ethena’s redemption rate reflects system posture, not market value. It encodes operational conservatism, and it can be intentionally biased downward to protect Ethena during short‑lived disruptions. Anchoring Aave’s oracle to that rate means Aave’s solvency engine becomes sensitive to Ethena’s internal control signals; throttling, hedging lags, or custodial latency, none of which imply an actual impairment to the underlying collateral’s value.

Beyond the economic distortion, this design also introduces a direct technical dependency on the Ethena protocol’s infrastructure. The oracle’s pricing behavior becomes contingent on continuous, accurate reporting from Ethena’s mint/redeem contract. RPC desynchronization, API inconsistencies, or keeper failures may result in stale or corrupted redemption data being interpreted as genuine, leading to erroneous oracle updates. In effect, a single missed or misreported contract update on Ethena’s side could propagate instantly into Aave’s core solvency logic.

This combination of economic coupling and technical reliance makes Aave’s oracle behavior both fragile and externally dependent. Aave’s pricing mechanisms must remain insulated from the operational state and telemetry quality of any external protocol, particularly one whose reporting infrastructure can lag, misreport, or intentionally bias parameters for risk control.

Overlapping and conflicting control surfaces

Aave operates under a single-provider model across its oracle stack. Chainlink is the protocol’s exclusive price data provider, and Chaos Labs is the protocol’s exclusive risk oracle provider. The system proposed here directly overlaps with Chaos Labs’ mandate. It embeds automated risk logic, including stress detection, freeze triggers, and collateral repricing, within Chainlink’s oracle framework. These functions already exist within the Aave risk oracle architecture, which Chaos Labs operates. Re-implementing them elsewhere is redundant and inconsistent with Aave’s established structure.

Aave’s risk oracles already monitor asset health, backing composition, and redemption conditions, and can trigger controlled responses such as freezes or repricing when warranted. Introducing a second mechanism under a different provider would fragment the system, create conflicting triggers, and erode the single-source-of-truth model that the DAO has deliberately built around its risk layer.

For canonical Aave deployments, Chaos Labs is the sole risk oracle provider, just as Chainlink is the sole price data provider. That structure reflects both design intent and operational precedent. If the DAO wishes to reopen the scope of all service providers on merit, Chaos Labs welcomes it, although we expect the results to reaffirm the efficiency and coherence of the current model.

The Implemented Alternative: Aave’s Complete Operational Pathway

The system is built around a simple principle: use Aave’s whitelisted redeemer privilege to deterministically transform USDe-exposed collateral into base stablecoins, honoring Ethena’s operational limits and each asset’s time profile (instant USDe, 7-day sUSDe, maturity-bound PTs). Where assets are not instantly redeemable (such as sUSDe; PTs before maturity), the system tokenizes the waiting period into a strictly accounted collateral note (cUSDe7D) and settles as soon as the underlying becomes available. Notably, this design generalizes cleanly to any yield-bearing or redemption-delayed collateral type, such as LSTs, LRTs, or structured yield tokens, thereby providing Aave with a novel, deterministic framework for managing assets with embedded duration risk.

Architecture and Trust Boundaries

At the heart of the system are two contracts and one non-privileged off-chain coordinator. The Redeemer Executor, better known as a clinicSteward, is an on-chain module that composes Aave v3’s pool actions (repay, liquidate, supply, withdraw, borrow) with Ethena’s redeem calls and a flash-loan callback. It performs atomic loops that begin with a flash loan, transform collateral, and end in the same block with the loan repaid. It does not hold assets across blocks.

The sUSDe Cooldown Wrapper is a minimal ERC-20 that mints cUSDe7D against sUSDe sent to it, starts Ethena’s cooldown via cooldownShares(), and after the unlockAt time calls unstake() to receive USDe which it immediately redeems to USDC/USDT and uses to repay debt. A Keeper/Steward runs off-chain and is never a trust root: it selects targets, sizes transactions to depth and quotas, and schedules harvests; the on-chain modules enforce all quotas, pauses, and invariants regardless of the Keeper’s behavior.

Oracle Modes and Signals

The system operates under two oracle regimes: par-anchored and redemption-anchored, each serving distinct operational contexts.

  • USDT-Anchored Mode (Default):

    When Ethena maintains full collateralization and redemptions function normally, the oracle references the standard stable feed(s). This mode intentionally disregards short-term redemption latency or secondary market noise, reflecting the economically correct assumption that USDe remains fully redeemable at par.

  • PoR-Anchored Mode (Activated Under Stress):

    When Proof-of-Reserves (PoR) attestors (e.g., Chaos Labs, Chainlink, LlamaRisk, HT Digital) detect a fundamental deviation or abnormality in USDe’s backing, Chaos Labs’ risk oracle immediately halts relevant Aave markets to prevent arbitrage and price-manipulation risk. This switch occurs under any of the following verified triggers:

    • PoR attestors confirm impairment in backing or a depeg in fundamental value.
    • The effective volume-weighted average redemption rate drops below a predefined operational threshold (e.g., $0.995 for meaningful size).
    • The redemption buffer remains unreplenished for longer than a fixed grace period or the Mint and Redeem contract is paused.

    Once the exchange stress period has passed, the oracle recalibrates to the realized, redeemer-permissioned, intrinsic value of USDe. This adjusted price is applied atomically within the same block that executes collateral offloading, ensuring that liquidations and redeems occur at a fair fundamental value rather than reflecting secondary market volatility. After offloading is complete, markets remain frozen pending governance review.

    Because the exchange-failure event is discrete, Aave is not forced to transact at the temporary worst-case bound redemption rate reflected in the redemption rate. After such an event, the economically optimal path is to wait until post‑event reconciliation, when the remaining backing and any realized loss are accurately reflected.

    1. Excess Refunds: If the redemption rate is overstated, resulting in over-redemption, users receive the surplus once reconciled.
    2. Atomic Reversion: If the redemption rate is understated or fails, the entire flash-loan transaction reverts and no state change occurs.

    When the mint/redeem contract’s redemption rate is so conservative that the realized proceeds, net of Ethena’s redemption fee, cannot be covered by the newly set liquidation bonus, the liquidation becomes unprofitable and the atomic loop reverts. Given that the liquidation bonus is configured below the redemption fee, an attempt to execute at prices beneath this bound cannot clear; the transaction reverts, and no state change occurs. This creates an implicit lower bound on executable liquidations, preventing Aave from realizing losses at distressed redemption rates. The excess‑refund safeguard still applies if, conversely, the redemption rate is temporarily overstated.

USDe (Vanilla) End-to-End Lifecycle

When a USDe-backed position trends unhealthy, the Redeemer Executor runs a single-block loop. It updates the oracle price of USDe in accordance with its realized fundamental value, takes a flash-loan in the borrower’s debt asset, repays or partially liquidates to seize USDe collateral, immediately calls Ethena’s redeem path using Aave’s whitelisted identity, and receives USDC/USDT subject to maxRedeemPerBlock and repays the flash loan plus fee with the received funds. If the per-block redemption quota is insufficient to fully neutralize the position in one shot, subject to Close Factor constraints, the executor records the residual requirement in an internal quota book, and the system re-targets the same address on subsequent blocks. The mechanism is fully deterministic; it always operates at a derived, realizable redemption value rather than any secondary market price, and thus collapses exposure to the exact redeemable value of the collateral, not an estimate.

sUSDe Lifecycle and the cUSDe7D Note

sUSDe introduces a 7-day unstaking delay, which poses a duration risk to Aave’s solvency surface. To remove this illiquidity while preserving value continuity, the sUSDe Cooldown Wrapper collateralizes the waiting period itself by tokenizing it into a transferable, time-bound note: cUSDe7D.

T₀ Transaction: Tokenized Cooldown (Single-Block, Capital-Neutral Execution)

The process begins when the Redeemer Executor detects an unhealthy position backed by sUSDe. The executor opens a flash-loan in the user’s debt asset (USDC or USDT) and uses it to either partially liquidate the position or execute a repay-on-behalf operation until the user’s Health Factor (HF) is safely above 1.0.

As part of that transaction, the executor seizes the user’s sUSDe collateral, either directly via liquidation or, in a proactive refinancing path, by transferring aTokens from the user through permit and transferFrom. The seized sUSDe is immediately sent to the sUSDeCooldownWrapper, which invokes cooldownShares() on Ethena. This initiates the seven-day unstaking process and, in return, mints cUSDe7D tokens to the protocol in a 1:1 ratio to the expected USDe output of that batch (accounting for any fees or operational haircuts).

The newly minted cUSDe7D is then supplied to Aave on behalf of the user, replacing the original sUSDe collateral. Borrowing against cUSDe7D is disabled, and its LTV is reduced to zero immediately after the swap, ensuring that it provides no incremental borrow power. To close the loop, the executor re-borrows the same amount of the debt stable on behalf of the user and uses it to repay the flash-loan plus fees within the same block.

At the end of the transaction:

  • The user’s debt remains unchanged, but their collateral now consists of cUSDe7D, a tokenized representation of USDe in cooldown.
  • Aave’s net position is flat; no treasury funds or extra capital are used.
  • The seven-day illiquidity is isolated and fully contained within the wrapper, modeled as time-locked collateral rather than an unpriced risk.

T + 7 Days: Harvest and Redemption Settlement

When the cooldown period expires, the Keeper triggers settlement by calling harvest() on the wrapper. The wrapper then executes unstake() to claim the matured USDe and immediately redeems it through Aave’s whitelisted path into USDC or USDT, observing the per-block redemption quota.

The proceeds are used to repay the corresponding portion of the user’s debt:

  • The wrapper burns the equivalent amount of cUSDe7D (held as aToken collateral).
  • The redeemed stablecoins flow directly into repayment, closing out that portion of the position.

This process effectively mirrors the USDe fast-path described earlier, but substitutes matured cUSDe7D for immediately redeemable USDe. Any excess proceeds can be returned to the user, with the liquidation bonus revenue routed to protocol reserves.

PT USDe and PT sUSDe Lifecycles

Pendle PTs are treated as strictly maturity-bound instruments. The system does not rely on AMM or orderbook liquidity to unwind PT positions prior to expiry, as secondary markets are often thin or unreliable during stress events. Instead, all PTs are held to maturity, at which point they are deterministically redeemed for their underlying assets without market risk or price impact.

Upon redemption, PT USDe transitions directly into the standard USDe liquidation flow (Flow A), executing an atomic offload through the whitelisted redeemer path. PT sUSDe, meanwhile, converts into sUSDe at maturity and subsequently enters the 7-day cooldown transformation path (Flow B), where it is tokenized into cUSDe7D notes.

During extended periods of PT accumulation, the system can adjust interest rate curves and borrow caps to reflect reduced offload velocity and prevent an excessive buildup of duration-bound exposure. This ensures that maturity synchronization, rather than secondary liquidity, governs the pace of unwind, maintaining deterministic recovery and minimizing slippage or systemic feedback loops.

Parameterization and Governance Knobs

Governance owns the oracle mode, liquidation bonus, caps, IR curves, and wrapper/reserve whitelists. In practice, the LB is set relatively low (≈ 0.5%) when the Redeemer path is used, as the protocol bears no external liquidator risk barring redemptions do not go smoothly. This prevents over-taxing users while still compensating for operational costs. Supply caps for cUSDe7D are typically set to the current supply immediately after each swap, effectively locking in growth and ensuring no third party expands the reserve. Borrowing is disabled on cUSDe7D; LTV is granted only intra-tx (one block) to permit the re-borrow step that repays the flash-loan, then set to zero to prevent further leverage. In practice, the cUSDe7D market remains paused throughout the cooldown period, making the underlying oracle reference effectively irrelevant. Because no user actions, such as borrowing, supplying, or liquidating, are permitted while the market is paused, there is no operational dependency on real-time pricing. The oracle remains configured for consistency, but its value does not influence protocol behavior until redemption completes and collateral reverts to liquid USDe or stables.

Because rate surfaces influence utilization and thus redemption pressure, the risk steward can dampen the IR curve on USDe and thus relevant PTs during stress to minimize the effective amplified net negative debt accrual stemming from the aforementioned utilization rate scaling, though the recent introduction of the Slope2 risk oracle generally neutralizes such stress at the base level.

Solvency Math and Sizing

Motivation Behind Collateral “Reimbursement” in cUSDe7D Notes

The core motivation for reimbursing users in cUSDe7D notes rather than constructing new cUSDe7D-backed positions stemming from the Redeemer Liquidator itself is to preserve the integrity of the aggregate collateral buffer during periods of further fundamental backing loss. From Aave’s perspective, creating a new position mid-cooldown effectively splits a single collateralized account into two independent legs, each with its own solvency boundary; a structure that mathematically increases expected bad debt under further collateral deterioration.

image
image705×606 67.9 KB

The protocol registers bad debt where none previously existed, solely due to the fragmentation of the collateral buffer. A generalized visualization of this phenomenon can be observed below:

image (2)
image (2)1937×1372 188 KB

Close Factor Implications

image
image712×400 49.9 KB

output - 2025-08-31T165238.787 (1)
output - 2025-08-31T165238.787 (1)1773×1242 151 KB

Conclusion

The need for a reliable system to strengthen Aave’s resilience during potential USDe-related volatility and backing losses is, and should remain, a priority for the DAO. However, the framework design should be implemented in a way that mitigates existing risks rather than exacerbating them.

The proposed solution is unsuitable as during USDe-related stress, particularly exchange failures, secondary markets, and redemption rates can diverge from realizable backing. If propagated into Aave via market-following oracles, it can induce unnecessary bad debt. Additionally, the system introduces overlapping control layers, blends data provision with risk policy execution, and in practice would create new sources of fragility precisely in the scenarios it aims to mitigate.

On the contrary, the framework developed in collaboration with BGD provides a deterministic, capital-neutral path to unwind USDe exposure at its realizable value, while cleanly modeling redemption latency via cUSDe7D, ensuring solvency isn’t hostage to secondary-market noise. It preserves the single, shared collateral buffer, avoids bad-debt convexity from position fragmentation, and executes atomically under the risk oracle’s control with clear auditability.

Critically, the pattern is general: the same wrapper-plus-redeemer architecture extends to virtually any asset with duration risk, including LSTs, LRTs, PTs, and other yield-bearing or redemption-delayed collateral, giving Aave a unified, composable framework to manage time-locked value without externalizing risk.