I want to start by acknowledging the DeFi United coalition effort. The speed of coordination — EtherFi, Lido, Mantle, Ethena, BGD Labs, Ink, Golem, and individual contributors pulling together 14,570 ETH in pledges within days — is genuinely impressive and demonstrates something the industry rarely shows: collective responsibility. That matters.
But I have a fundamental problem with this proposal as structured: it asks the DAO to commit 25,000 ETH to make users whole without requiring, as a precondition, any systemic reform to prevent the exact same failure from recurring. The rsETH incident was not a black swan. It was a predictable consequence of accepting collateral that never should have been listed at the parameters it carried. Funding the recovery without fixing the intake process is paying the bill and leaving the kitchen on fire.
The Recovery Math Is Sound. The Governance Sequence Is Backwards.
Let me be clear on what I’m not disputing. The arithmetic is clean. 163,183 ETH original shortfall. 87,955 ETH recovered or recoverable (Kelp freeze, Arbitrum Security Council, hacker position liquidations). 75,081 ETH residual gap. The waterfall structure — donations first, Mantle credit facility second, DAO treasury third — is the right priority ordering. The anchoring of the 25,000 ETH commitment (fixed regardless of later donations, with additional funds retiring the Mantle facility) is operationally smart and avoids the paralysis of constantly recalculating the ask.
What I’m disputing is the sequence. This ARFC should not go to Snapshot until Aave governance has adopted a binding collateral risk assessment framework that would have prevented rsETH from being listed at 93% LTV in the first place.
Why rsETH Should Never Have Been Listed at Those Parameters
The rsETH exploit originated in a 1-of-1 DVN LayerZero bridge configuration. That’s not a novel attack vector — it’s the textbook single-point-of-failure that every infrastructure risk assessment should flag on day one. Let me walk through what a proper collateral evaluation would have surfaced:
- Redemption Posture: rsETH on L2 was bridge-gated. Users couldn’t redeem directly to ETH without routing through the LayerZero adapter. That’s the highest-risk redemption category — no independent exit path. Score: maximum risk.
- Rehypothecation Depth: rsETH is already one layer deep (ETH → staking → liquid restaking token). Bridged rsETH on L2 adds another (bridge-wrapped LRT). Each layer multiplies independent failure vectors. Combined failure probability is multiplicative, not additive.
- Bridge Hops in Provenance: The Unichain → Ethereum route used a 1-of-1 DVN with no optional verifiers. The entire bridge security model reduced to one entity. This alone should have capped the asset at isolated-supply-only with maximum 50% LTV. Instead, it was accepted at 93% LTV on Core.
- Oracle Fragility: The price feed ultimately depended on rsETH’s internal exchange rate, which itself depended on the bridge invariant holding. When the bridge invariant broke, the oracle became a liar — quoting a price that assumed backing that no longer existed.
- Liquidity Depth: rsETH on L2s had thin DEX liquidity relative to the supply caps Aave accepted. Liquidators in a depeg scenario would have moved the price against themselves trying to clear positions — exactly what the bad debt scenarios in the Incident Report model.
Run those five factors through any structured evaluation and the output is clear: rsETH on L2 was a Tier 4 collateral asset at best— suitable only for isolated supply caps at ≤50% LTV. Listing it at 93% LTV on Core was a risk management failure, full stop. The 25,000 ETH this proposal requests is the direct financial consequence of that failure.
What the DAO Should Require Before Releasing Funds
I’m not arguing against the recovery. I’m arguing for conditionality. Before this ARFC moves to Snapshot, governance should adopt a structured asset safety tiering framework with the following properties:
1. Independent Factor Scoring. Every collateral asset evaluated across independent risk dimensions — redemption posture, derivative depth, bridge infrastructure, regulatory status, oracle design, volatility, liquidity depth, and (for time-bound instruments) duration risk. Each factor scored independently. No composite weighting that lets a good score in one dimension mask a critical failure in another. The entire rsETH disaster traces to a composite scoring system that let “good backing ratio” mask “catastrophic bridge infrastructure.”
2. Tier-Gated LTV Limits. Each tier maps to a maximum LTV. Assets with structural risk clusters (bridge-dependent, oracle-fragile, deep rehypothecation chains) are hard-capped at tier-appropriate LTVs that cannot be overridden by governance vote without explicit risk acceptance documentation. The 93% LTV on rsETH was not a calculated risk — it was an uncalculated one.
3. Automated Tier Degradation. When an asset’s underlying risk factors change — a bridge configuration weakens, oracle infrastructure degrades, liquidity thins — the tier should degrade automatically, triggering LTV reductions through the Risk Steward without waiting for a governance cycle. The Automated Supply Cap Updater currently in Temp Check addresses one dimension of this (supply concentration). Tier degradation addresses the collateral quality dimension.
4. Mandatory Infrastructure Dependency Mapping for All LSTs/LRTs. Before any staked or restaked derivative is listed, the proposer must publish a full dependency chain: every smart contract, every oracle, every bridge, every external service in the path from the underlying asset to Aave’s risk engine. No exceptions. I proposed this in the rETH listing discussion — rETH would pass these requirements easily, which is exactly why well-designed assets shouldn’t fear rigorous evaluation.
The Broader Governance Problem
This ARFC authorises Aave Labs to “act as counterparty on any loan, settlement, indemnity or related legal instrument on behalf of the Aave DAO.” It also contemplates “under-collateralised loans, warrants, and potential token sales” using DAO assets and future protocol revenue as collateral. The scope of that authorization is extraordinary and appropriate given the scale of the crisis.
But consider what it means in practice: the DAO is pledging future revenue to service debt incurred because of a collateral listing decision that lacked adequate risk assessment. Every AAVE holder is absorbing the cost of a risk management gap. The least they should receive in return is a binding commitment that the gap will be closed.
The 2022 CRV incident cost $1.9M. The DAO covered it and moved on. No systemic reform followed. The rsETH incident now costs the DAO 25,000 ETH ($57.5M at current prices) plus exposure to credit facilities and future revenue pledges. If the pattern holds — cover the loss, skip the reform — the next incident will be larger, because the attack surface will not have shrunk.
Recommendation
Support the recovery. Condition it on reform.
Specifically:
-
Approve the 25,000 ETH treasury commitment as part of the DeFi United recovery effort.
-
Require, as a binding precondition to fund disbursement, that Aave governance adopts a structured asset safety tiering framework with the properties described above — independent factor scoring, tier-gated LTV limits, automated tier degradation, and mandatory infrastructure dependency mapping for derivative collateral.
-
Require a post-mortem governance process that evaluates every currently listed LST/LRT against the new framework and adjusts parameters where the tier assignment differs from current LTVs.
-
Establish a standing collateral review cadence (quarterly minimum) where Risk Stewards reassess all derivative collateral against the framework, with automatic parameter adjustments for tier changes.
The DeFi United coalition has shown the industry what collective responsibility looks like. Now governance needs to show what institutional learning looks like. Pay the bill and fix the kitchen.
-– Robby Greenfield | tokedex.org