[ARFC] Umbrella Risk Oracles

Governance
1

Summary

This document develops a framework for dynamically calibrating key parameters of the Aave Umbrella system through autonomous Risk Oracles. Umbrella introduces a reserve-level decentralized coverage layer in which participants supply slashable backstop capital and receive incremental compensation financed by protocol-defined emissions. The effectiveness of this mechanism depends on maintaining coherent incentives and coverage targets as reserve conditions evolve, rather than relying on static nominal settings or infrequent parameter updates.

Rather than treating Umbrella configuration as a fixed schedule, we outline a state-contingent parameterization that expresses both coverage and incentive intensity in relative terms. Coverage is represented as a thickness ratio (coverage capital per unit exposure), and incentive spend is represented as a fraction of reserve revenue, yielding a scale-free mapping from observable reserve state to an implied incremental yield. This formulation preserves a transparent accounting interpretation, linking the effective cost of coverage to reserve revenues, while allowing parameters to move consistently with demand regimes.

Risk Oracles act as autonomous agents that monitor reserve dynamics off-chain and reparameterize the system accordingly, enabling tighter alignment between the coverage market’s pricing and the underlying reserve environment with minimal operational overhead. Subsequent work extends the framework to the endogenous construction of coverage targets and broader deployment across markets.

Problem statement: absence of real-time parameter optimization in Umbrella

Umbrella’s core incentive and coverage parameters, most notably Target Liquidity and MaxEmissionPerYear, are specified in static, nominal token units (i.e., absolute quantities of the underlying asset or rewards token), rather than as functions of endogenous market state variables such as demand, utilization, or prevailing supply/borrow rates. This design choice implicitly assumes that the demand regime and the induced equilibrium rates are relatively stationary over the calibration horizon. In practice, however, Aave markets are highly regime-dependent: demand for debt can shift rapidly, and the endogenous interest-rate environment adjusts accordingly. This creates a structural mismatch between fixed nominal incentive schedules and state-dependent market pricing of risk and liquidity, leading to systematic inefficiencies (“leakage”) that can invert Umbrella’s intended risk-alignment properties.

When borrowing demand declines, the underlying market supply rate on the reserve decreases. Because MaxEmissionPerYear is fixed in nominal terms, the incremental yield subsidized by Umbrella constitutes an increasing fraction of the total risk-free (or baseline) return available to suppliers. Put differently, the program can become most generous precisely when system leverage and outstanding debt are lowest, a regime in which marginal coverage is least economically valuable. This results in over-incentivization and inefficient reward spend during periods of lower risk exposure.

Conversely, when borrowing demand rises, baseline supply rates rise endogenously, and the fixed nominal emission budget translates into a smaller incremental yield spread relative to market rates. In this regime, the effective attractiveness of staking into Umbrella may decline, weakening participation and reducing coverage at exactly the time when (i) outstanding debt is higher, (ii) tail risk scales up, and (iii) coverage is most valuable from a solvency perspective.

A similar issue arises for Target Liquidity. In principle, optimal target coverage should scale with the system’s risk exposure, which is naturally proxied by outstanding nominal debt and its distribution across collateral types and liquidity conditions. If Target Liquidity is derived from a Value-at-Risk (VaR) framework, it should evolve continuously as the underlying exposure set evolves. A static nominal target (or infrequently updated parameterization) can therefore be miscalibrated: either demanding excessive capital in low-exposure regimes or failing to require sufficient coverage when exposures expand.

Furthermore, from an operational perspective, altering the underlying value of either TargetLiquidity or MaxEmissionPerYear results in the other being implicitly transformed in accordance with the underlying objective, as altering one but not the other arguably misaligns the targeted incentive structure employed (e.g., increasing TargetLiquidity while maintaining MaxEmissionPerYear results in a lower incremental APR at the target).

Taken together, these dynamics imply that static nominal parameterization induces a procyclical distortion: incentives can be strongest when marginal risk is weakest, and weakest when marginal risk is strongest. The central gap is the lack of a real-time, state-contingent optimization mechanism that adapts Umbrella parameters as functions of observable market conditions (utilization, debt demand, rates, and risk metrics), thereby minimizing reward leakage while maintaining (or improving) required coverage across regimes.

image
image1166×1430 138 KB

image
image1134×1404 129 KB

image
image1144×1350 123 KB

image
image1126×1164 120 KB

image - 2026-01-16T161121.500
image - 2026-01-16T161121.5001679×1372 152 KB

image
image1126×714 70.6 KB

image - 2026-01-16T161148.226
image - 2026-01-16T161148.2261792×1372 158 KB

image
image1130×1080 100 KB

output - 2026-01-16T124657.657 (1)
output - 2026-01-16T124657.657 (1)1779×1372 173 KB

output - 2026-01-16T124650.066 (1)
output - 2026-01-16T124650.066 (1)1814×1372 172 KB

image
image1130×1358 123 KB

image
image1130×1418 114 KB

image
image1144×1038 74.9 KB

image - 2026-01-16T161429.098
image - 2026-01-16T161429.0981768×738 78.7 KB

image
image1128×1382 128 KB

image
image1142×1074 91.5 KB

image
image1130×1188 114 KB

output - 2026-01-14T153346.250 (1)
output - 2026-01-14T153346.250 (1)1780×1371 212 KB

image
image1132×1038 113 KB

output - 2026-01-16T121252.694 (3)
output - 2026-01-16T121252.694 (3)1779×1372 221 KB

In practice, market utilization levels rarely scale below 60-65% and typically range within 75-90%. Concurrently, the dynamic incremental Umbrella APR, which scales with the coverage multiple in the system, is portrayed below for each reserve wrt utilization, assuming current interest rate curve parameters (slope1).
output - 2026-01-16T123220.807 (3)
output - 2026-01-16T123220.807 (3)1920×655 173 KB

Conclusion

Umbrella incentives should be calibrated as a reserve-level pricing problem rather than a static nominal emissions schedule. By expressing both coverage and spend in relative terms, the controller adapts automatically to changes in utilization and the reserve’s revenue environment, reducing leakage and avoiding procyclical incentive behavior. The result is a simple, automatable rule that produces reserve-specific spend recommendations under current market conditions and maps them directly into Umbrella parameter updates.

Disclosure

Chaos Labs has not been compensated by any third party for publishing this research paper and ensuing risk oracle.

Copyright

Copyright and related rights waived via CC0.

1 Like
Chaos Labs - Monthly Community Update
2

Summary

LlamaRisk welcomes the initiative by Chaos Labs to introduce automation and dynamic calibration to the Umbrella system. We agree with the premise that static parameters in a dynamic market environment create inefficiencies, specifically, the leakage of incentives during low-risk regimes and potential under-incentivization during risk-on regimes. The move towards a more frequent parameter update cadence is a logical evolution for the Umbrella module, especially as Umbrella’s emission updates can pose high operational and governance overhead, as observed with previous updates proposed by LlamaRisk.

After a thorough review of the proposed framework, we observe that it has a different fundamental focus compared to the previously ratified Umbrella Methodology. Our methodology considers heterogeneous risk factors that are external to the Aave market, accounting for secondary market liquidity, asset correlations, and liquidation capacity.

By contrast, the proposed Risk Oracle functions primarily as a financial optimization model, calibrating emissions based on revenue and utilization rather than a comprehensive risk-adjusted model. The core assumption of the proposal is that risk scales linearly with nominal debt.

There are merits to both approaches that present an opportunity for a collaborative path forward: utilizing the LlamaRisk methodology to anchor the Coverage Targets, while leveraging the Chaos Labs framework to optimize the Emission Efficiency.

1. The Limitations of Linear Scaling: Debt vs. Liquidity Risk

The proposed framework anchors the target coverage to the aggregate nominal debt via a coverage ratio. This is expressed in the model as:

image
image2020×408 16.5 KB

This linear relationship implies that every dollar of debt carries an equivalent risk weight and requires proportional coverage, regardless of the underlying asset market profile. While this creates a simplified, scalable model, it abstracts away the external market constraints that dictate actual insolvency risk.

As demonstrated in the Umbrella Methodology analysis provided by LlamaRisk, two assets with identical outstanding debt often require vastly different coverage levels. For example, USDC-backed loans benefit from deep secondary market liquidity with USDC pairs, allowing for the absorption of significant liquidations and, therefore, possessing a larger market shock resilience. Conversely, USDT, while having a similar utilization (except for notable periods of utilization stress), often exhibits lower DEX liquidity resilience relative to its collateral base backing loans on Aave. This reduces the market capacity to absorb shocks without bad debt creation.

If the Risk Oracle applies a uniform or purely utilization-based parameter to both, it risks over-covering highly liquid assets, resulting in capital inefficiency, or under-covering less liquid assets, introducing insolvency risk.

Our recommendation is that the definition of Target Liquidity cannot be endogenous to the Aave protocol state alone. It must be derived from Liquidation Capacity, a metric obtained through off-chain simulations of slippage, market depth, and price shock resilience.

2. Methodology Comparison: Financial Model vs. Risk Model

To fully understand the necessity of integrating our methodologies, it is crucial to analyze the distinct objectives and inputs of each framework. The Chaos Labs proposal and the LlamaRisk methodology are, in fact, complementary approaches solving different parts of the equation.

Revenue vs. Market Depth

The Chaos Labs model is driven principally by Protocol Revenue and Utilization. Its logic dictates that as the protocol earns more from higher utilization, it can afford to allocate a larger budget to safety coverage. This is mathematically represented in the proposal by deriving the revenue intensity per unit debt:

image

This creates a budget optimization tool that ensures the protocol does not overspend relative to its income. However, solvency risk does not always correlate perfectly with protocol revenue. A bad debt event can equivalently occur during periods of low utilization or low revenue, potentially leaving the protocol exposed if the coverage target has been algorithmically compressed to save costs.

In contrast, LlamaRisk’s methodology is driven by Market Liquidity and Volatility, while also adapting to DAO’s profitability via debt amount as a proxy. We determine the necessary coverage based on how much of the underlying asset the market can absorb during a liquidation event before slippage becomes catastrophic. We calculate this capacity as:

image

This approach ensures that the safety target is defined by external market reality, specifically the depth of DEX routes and price volatility of each individual asset backing the loans, rather than solely the internal profitability of the Aave reserve.

The Target Logic: Quantity vs. Capacity

The proposed Risk Oracle scales the target linearly with the debt size. It assumes that if the debt doubles, the risk doubles, and therefore the safety cushion should double. The model defines the target coverage ratio ( \kappa_t\ ) as:

image
image1624×122 4.92 KB

This is a financial heuristic that works for general capital allocation, but it does not capture liquidity cliffs.

The LlamaRisk methodology limits the target based on the Safety Threshold and the Borrow Cap, which are informed by the liquidity constraints. We recognize that after a certain point, adding more coverage does not increase safety if the secondary market cannot facilitate the exit of that capital. Therefore, our final target is derived from:

image

This ensures the target reflects the actual maximum risk exposure the market allows, rather than an arbitrary percentage of current open interest.

Data Ingestion: Endogenous vs. Exogenous

The Risk Oracle relies heavily on endogenous, on-chain state data such as supply, borrows, and interest rates. This makes for an elegant, self-contained system. However, the true risks to Aave, price crashes, de-pegs, and liquidity dry-ups originate outside of the protocol. Our methodology ingests exogenous data, including historical volatility, correlation matrices between collateral assets, and trading volumes across various exchanges. This external view is required to accurately calibrate the coverage target against real-world insolvency threats.

3. The Participation Wedge and Behavioral Complexity

The proposal introduces a response model to predict how the market will react to incentives. A critical component of this function is the Participation Wedge, which represents the collateral utility opportunity cost plus the duration risk premium. This is expressed in the function:

image
image1714×208 8.96 KB

While conceptually sound, the proposal treats this wedge as a variable to be ingested, yet it lacks a transparent mathematical formulation or estimation method. Opportunity cost is highly subjective and varies drastically across user strategies; for example, the cost for a looping borrower differs significantly from that of a passive holder.

Attempting to predict a market response function and then optimizing incentives against that prediction is fraught with complexity. Markets are reflexive, and creating a function that attempts to capture aggregate human utility often leads to over-fitting.

It would be far more effective to employ a control loop. Rather than trying to calculate the perfect incentive based on a theoretical wedge, the Oracle should observe the actual participation delta, how the market is actually responding to current rates, and adjust emissions incrementally. This avoids reliance on unobservable variables like the aggregate user utility function.

4. Operational Asymmetry

The proposal describes the Risk Oracle as an autonomous agent, but is ambiguous regarding the update cadence and thresholds. This introduces a critical friction with the architecture of the Umbrella module.

Umbrella enforces a 20-day cooldown period for stakers. This design is intentional, ensuring there is committed, sticky capital that cannot flee immediately during a crisis. If an algorithmic Oracle updates emission rates or coverage targets continuously based on daily volatility in utilization, stakers are exposed to a moving target they cannot react to.

This creates an operational asymmetry: the protocol can adjust the terms of the deal immediately via the algorithm, but the counterparty, the staker, is locked and can only respond after the cooldown. Ultimately, this may lead to lower participation in the Umbrella module. We strongly advise that any automated parameter updates occur on a predictable, low-frequency cadence, such as bi-weekly or monthly epochs, to respect the duration risk stakers are underwriting.

A Collaborative Path Forward

The Chaos Labs Risk Oracle framework offers a sophisticated engine for financial efficiency, ensuring that Aave’s incentive spend scales rationally with its revenue. We also recognize that the Chaos Labs framework intentionally abstracts away off-chain complexity to enable continuous control. However, for Umbrella to function effectively as a safety module, the Target Liquidity must be anchored in market reality with externally calibrated targets, not just protocol revenue.

We propose a hybrid implementation to ensure Aave remains both solvent and efficient:

  1. LlamaRisk Defines the Target Publicly: We will continue to provide the Target Liquidity parameters derived from our external VaR and Liquidity Capacity simulations. This ensures the target takes into account DEX liquidity, volatility, and asset-specific risks that are not easily discernible through on-chain data alone. The update cadence can be managed monthly or more frequently, aligning with the desired financial allocation level set by Aave’s Service Providers, who effectively oversee Aave’s spending.
  2. Chaos Labs Defines the Execution: The Risk Oracle takes the LlamaRisk-defined Target Liquidity as the input and optimizes the Emission Rate required to achieve that target with minimal deviations and maximum revenue efficiency, utilizing the revenue-share logic proposed.

This separation of concerns (Risk-based Targets paired with Revenue-based Execution) provides more robust protection for the protocol. We look forward to collaborating with Chaos Labs to refine this integration.

Disclaimer

This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

LlamaRisk - Monthly Community Update
3

Thanks for the review. We appreciate the opportunity to clarify a few points that may have been misinterpreted in our proposal.

“Relative terms” does not imply “linear scaling” (and that’s not the premise)

A key concern raised is that our framework “assumes risk scales linearly with nominal debt” because we express targets and incentives in normalized form. That is not the intent, nor a necessary implication of the normalization.

The purpose of writing the system in relative terms is accounting clarity and scale invariance, not a claim that every unit of debt carries the same risk weight. Concretely:

  • Expressing coverage as a ratio $\kappa = \Lambda/B$ is a way to describe “coverage thickness per unit exposure” so that the spend-share and the implied incremental yield are interpretable across reserves and across time.
  • Importantly, $\kappa$ is reserve-specific and time-varying: two reserves with the same nominal debt can have very different $\kappa$ values (and therefore very different implied incentive requirements). In other words, the framework is explicitly designed so that “same debt” does not imply “same target liquidity” or “same incentives.”

So the normalized form is not saying “risk ∝ debt”; it’s saying “given a reserve’s required coverage thickness, what revenue share is required to procure it efficiently under current reserve conditions?”

Scope clarification: launch optimizes MaxEmissionPerYear only

Another important clarification: the initial Risk Oracle described in the paper does not propose autonomously re-deriving Target Liquidity on-chain from utilization/revenue.

At launch, the oracle’s job is narrowly scoped:

  • Input: required coverage / Target Liquidity (or equivalently \kappa) as provided by governance / existing methodology
  • Output: optimized MaxEmissionPerYear (via \tau) to achieve coverage efficiently and reduce leakage across regimes

We do mention ongoing work toward continuous VaR-style targetLiquidity derivation through Risk Oracles, but that is explicitly framed as subsequent work. The current proposal’s central contribution is that once a coverage requirement is defined, we can automate emissions calibration to maintain coherent incentive intensity relative to reserve revenue and rate regimes, with minimal governance overhead.

The model already allows heterogeneous “risk per dollar of debt” through \kappa (and therefore different spend)

The review uses USDC vs USDT to illustrate that similar utilization can still imply different insolvency risk due to liquidity resilience and secondary market depth.

We agree with that premise, and the proposed framework is compatible with it by construction, because it doesn’t require that \kappa be uniform across reserves. If USDT requires thicker coverage because its VaR measure is weaker, that translates into a higher \kappa, which mechanically increases the implied incentive intensity required to procure coverage via tau.

So heterogeneity in off-chain risk conditions is exactly represented through heterogeneity in \kappa_t and its associated relationship with tau. Normalization is simply the mechanism that preserves the interpretability of that relationship as reserve size and revenue regimes change.

Operations: cadence is state-contingent and bounded by on-chain constraints to minimize “moving target” risk

On operations, we agree with the general point: parameter updates should not create a moving target for stakers, especially given Umbrella’s cooldown mechanics.

Our intended operational posture is not continuous retuning in response to daily noise. The appropriate update cadence depends on the variance in the underlying drivers (interest rate environment, debt growth/contraction, and other state variables). In stable regimes, updates would be infrequent; in fast-changing regimes, the system can justify more responsiveness, subject to implied smoothing to minimize instantaneous behavior and create a factual representation of such variables, as provided in previous risk oracle algorithms.

Crucially, this responsiveness is not unbounded. The design includes guardrails and on-chain constraints intended to minimize volatility as a fallback via bounded parameter changes per update and associated rate limits. These will be defined in the relevant Technical Maintenance Proposal that activates the Risk Oracle.

Why we do not make the controller self-referential (control-loop)

We agree that opportunity cost can be heterogeneous and strategy-dependent, but we think this critique overstates what the Participation Wedge is intended to represent. The wedge is not a claim that we can model an “aggregate human utility function,” and the framework does not depend on point-accurate prediction of how every user type reacts to incentives. Rather, it is a deliberately coarse, mechanism-level adjustment for two frictions that are objectively introduced by Umbrella relative to holding liquid aTokens: (i) staking forfeits collateral/rehypothecation utility, and (ii) the cooldown embeds a real duration/optionality cost. Those are not subjective preferences; they are structural constraints of the product, and some representation of them is necessary; otherwise, the optimization implicitly assumes staking is economically equivalent to holding a liquid aToken position and will systematically underprice the compensation required to clear the coverage market. In that sense, the wedge is a practical correction term that is implemented conservatively, with the goal of avoiding obvious miscalibration regimes (chronic under-coverage or reward leakage), not “solving” user utility or overfitting behavior.

Separately, a pure control loop is not automatically more effective at launch because it presumes the existence of a stable, high-signal participation feedback channel. Umbrella is a nascent primitive, and its supply curve is still forming: participation today is meaningfully impacted by adoption and awareness cycles, onboarding waves, whale positioning, and episodic liquidity movements. That makes the participation signal non-stationary, so a fully self-referential controller can end up chasing transient flows and inducing oscillations, i.e., creating the very reflexivity the critique warns about.

The robust initial posture is therefore to anchor emissions calibration to higher-signal reserve state variables, while relying on Umbrella’s native emissions schedule, which is explicitly conditioned on the realized coverage multiple z = a/Λ, as the primary guardrail that stabilizes incentives across under- and over-coverage regimes. As Umbrella matures and price discovery stabilizes, increasing the weight on closed-loop feedback becomes a natural extension, but it is not the most reliable primary control signal in the current regime.