Chaos Labs Is Leaving Aave

image1920×768 111 KB

Since November 2022, Chaos Labs has priced every loan initiated on Aave and managed risk across all Aave V2 and V3 markets and networks, with zero material bad debt.

During that time, Aave grew from $5.2 billion to more than $26 billion in TVL, facilitated over $2.5 trillion in cumulative deposit volume, and processed over $2 billion in liquidations.

image2048×1152 167 KB

Today, we are stepping down from that mandate and seeking to proactively terminate our engagement.

This decision was not made in haste. We worked in good faith with DAO contributors. Aave Labs was professional and supported increasing our budget to $5m to retain us. However, we are leaving because the engagement no longer reflects how we believe risk should be managed.

Despite not agreeing on the path forward, I believe Aave Labs is doing what it thinks is in Aave’s best interest.

Why We’re Walking Away

We’ve lived and breathed Aave for three years, through market crises that tested every parameter we set and every machine learning model we’ve built.

When we joined, the DAO’s run rate was negative $35 million. At its peak several months ago, it reached $150 million. We take real pride in being a core contributor during that period.

People don’t walk away from something like that without good reason. So, in the interest of transparency and in the hope that it’s useful to the DAO going forward, here is our reasoning.

Money solves many problems, but not all of them. The deeper issue is a fundamental misalignment on how risk should be managed at Aave. The more we discussed the path forward, the clearer that gap became.

It came down to three things:

• Core Aave contributors left, materially increasing the workload and operational risk.

• V4 expands the scope of the risk function, increases the operational and legal burden, and does so on an architecture we did not design and would not have designed this way.

• For the past three years, we’ve run the Aave engagement at a loss. Even with an increase of $1m, we’d still be operating Aave’s risk with negative margins.

That leaves two options, neither of which we’re willing to accept:

• Do our best with the resources we receive, knowing it’s not enough to execute at the standard the largest DeFi application in the world demands.

• Subsidize Aave’s risk operations and continue to lose money.

But even if the economics were resolved, the misalignment on how risk should be prioritized and managed at Aave would remain. And that is not something a budget increase alone can fix.

None of this changes how we feel about the work itself.

Chaos Labs has always viewed our contributions to Aave as a privilege, and one that comes with great responsibility.

Our reputation is our track record. Every engagement is worth doing at the standard it demands, or not at all.

People, Technology, and Operational Experience

Aave is a great brand. Its dominance was never about having the flashiest features or the most aggressive growth strategy.

What made Aave dominate over time was its reliability. The brand and sentiment were always a trailing indicator of its performance, security, and risk management across all market conditions, including the tail events that decimated other market participants. It was from this that “Just Use Aave” was born.

Competitors shipped more novel mechanisms and more aggressive growth strategies. One by one, they blew up due to risk management failures or security exploits. In a market defined by the world’s most volatile asset classes, survival is the product. The protocol that manages risk best, longest, wins.

Where Aave did innovate was in the areas most protocols overlooked: process and infrastructure. Risk Oracles, which we built and first launched on Aave, allowed the protocol to self-heal and update parameters in real time in line with dynamic, volatile market conditions. That infrastructure helped Aave scale to over 250 markets across 19 blockchains, streaming hundreds of parameter updates per month while maintaining the operational rigor that has earned it the trust it has today.

image1920×1080 204 KB

image2048×1087 176 KB

That rigor was produced by a specific operators and stack: ACI on growth/governance, TokenLogic on treasury/growth, BGD on protocol engineering, and Chaos Labs on risk.

The brand is what people see.

The people, technology, and operational experience are what made it worth seeing.

GTM and Institutional Expansion

Our contributions extended well beyond risk.

Over the past few years, crypto has institutionalized rapidly. The largest financial institutions in the world now integrate DeFi, and while the benefits of coming onchain are real, none of them matter if an institution fears it might lose customer deposits. For any regulated entity, the conversation starts and ends with risk. A few extra basis points of yield are never worth principal risk. Institutions seek the best risk-adjusted returns, and they will not allocate capital to a protocol they cannot underwrite to their compliance team.

That reality made Aave’s risk track record its most valuable go-to-market asset. It also positioned us, as the team responsible for that track record, to engage directly with these institutions. At Aave Labs’ request, we took on that role, traveling globally to meet partners, producing research and due diligence collateral, and supporting Aave’s institutional expansion firsthand. We hope the DAO will benefit from the fruits of that labor in the months to come.

The Ship of Theseus

If you replace every plank of a ship, is it still the same ship? The name is the same. The flag is the same. But nothing underneath is what it was.

That is where Aave stands today.

Core contributors who built and operated V3 have departed. Most of the accumulated operating knowledge that kept Aave running through three years of live markets has left with them.

We are the last remaining technical contributor from that group.

V3 is still the largest application in DeFi and requires 24/7/365 risk management. While Aave Labs is optimistic about a swift migration to V4, history suggests these transitions take months and even years. Until V4 fully absorbs V3’s markets and liquidity, both systems need to be operated and managed simultaneously. The workload during the transition doesn’t halve. It doubles.

Then there is the question of operating experience. Even if you assume identical ability across teams, three years of continuous operation produce knowledge that doesn’t transfer in a handoff.

How long does it take to close that gap?

The answer is not zero, and until it closes, someone has to bear the cost of bridging it. That responsibility falls entirely on us, on a budget that was already insufficient before the scope expanded. Continuity of brand is not the same thing as continuity of system.

Why V4 Is Different

V4 is a completely new lending protocol, with a new smart contract codebase, new system architecture, and a new paradigm. The only resemblance it shares with Aave V3 is the name.

The architecture changes in ways that matter directly for risk: more interdependent configurations across spokes and markets, new credit structures, and modified liquidation logic. And as with any new protocol, second-order failure modes will only surface once real capital moves through the system.

Taking on something new responsibly requires new infrastructure, new tooling, new simulations, and the full operational burden of going from zero to one again on a codebase that has not yet been battle-tested. That is a materially larger scope than V3, and that expansion is core to our calculus.

Risk is downstream of architecture. When the architecture changes completely, the risk engagement changes completely. Unlike turnkey solutions such as price oracles or proof-of-reserves, Risk Oracles and their accompanying systems are purpose-built for each protocol’s architecture. When that architecture is rewritten from scratch, the risk infrastructure must follow.

As a result, while the scope changed materially, the resourcing did not.

Aave Labs may be comfortable with those trade-offs. We are not.

What It Actually Costs

We are walking away from a $5 million engagement that has worked historically. As a startup, that is not something you do lightly, and we think the reasoning deserves context that goes beyond the surface.

Compensation is part of this story, but more than anything, it is a signal. How much an organization allocates to risk tells you how it prioritizes it.

I also believe that very few people understand what it actually costs to run this type of operation, what the real expenses are, and what risks you take on. So I want to open that up.

To be clear: the DAO has every right to decide what it values and what it wants to pay for. I take no issue with that. My job is simply to decide whether the terms work for us. In this case, they don’t.

Comparing Aave to a Bank

Aave likes comparing itself to banks, so let’s use that benchmark. Banks allocate 6 to 10 percent of revenue to compliance and risk infrastructure. In 2025, Aave generated $142 million in revenue. Our budget was $3 million, roughly 2% of protocol revenue.

Our estimate for the minimum risk budget covering V3, V4, and the GTM work we were already performing was $8 million, or 5.6 percent of protocol revenue. Still below the floor of what any bank allocates to the equivalent function

I also believe that the comparison is generous. The open nature of blockchains makes adversarial risk, both market and cyber, fundamentally more asymmetric than in traditional finance. Protocols are open source and transparent by design, which means attack surfaces are visible to everyone. Recent exploits have demonstrated that this is real. I believe that DeFi’s investments in risk management should exceed that of its traditional counterparts, not trail behind it.

Nothing at Aave’s scale exists in DeFi, so no comparison will be perfect. The bank benchmark is a proxy for contextualizing the cost of risk infrastructure at institutions that take it seriously. Whether a DeFi protocol can afford to fund risk properly is a separate question from whether it chooses to.

Thankfully, for Aave, affordability is not the constraint. The DAO holds $140 million in its treasury, and Aave Labs recently passed a proposal for $50 million in self-funding.

But even if resources were scarce, the cost of managing risk at this scale would not change.

Budgets don’t reshape the threat landscape. The cost is the cost.

The Costs That Don’t Appear in a Budget

Headcount and infrastructure are the visible costs. There are others that are harder to price, but that anyone in this role must absorb.

The first is legal and institutional exposure. Risk management in DeFi, whether as a risk manager or vault curator, carries liability that remains fundamentally undefined. There is no regulatory framework, no safe harbor, and no settled law that answers the question of what a risk manager or curator owes when a protocol fails. If things work, the work is invisible. If things break, the blame is not.

The second is cyber and operational security. Managing risk for a protocol that secures tens of billions makes you a target. The audits, monitoring, infrastructure, and internal controls required to ensure the systems managing risk are secure are a cost that scales with every dollar of user deposits.

These costs are not unique to us. Anyone stepping into this role at this scale will face the same exposure. The question is whether the engagement is structured to reflect that.

If the upside is incremental and the downside is uncapped, saying yes is not conviction.

Ironically, it is poor risk management.

Our Values

We have always held a simple principle at Chaos: we only put our name on work we fully believe in. That principle is easy to advertise when things are going well. It matters when it costs you something. Today it’s costing us $5 million.

I’ve written about what institutional-grade risk management should look like in The Market Crypto Never Built. This decision is what that conviction looks like in practice. If we are going to argue that the industry needs higher standards, we have to hold ourselves to them first.

I want V4 to succeed, and if it proves my concerns are overstated, that will be genuinely good for everyone.

To the Aave community: thank you for the trust. It was a privilege

While we are stepping down, we want to do so in a way that is constructive and responsible. We will work to offboard in an orderly fashion and help ensure the DAO is well-positioned to succeed after our departure. We’ll follow up shortly with a structured proposal outlining transition details, timeline, scope of handoff, and how we can support continuity during this process.

I must be honest with this community: This was not on my 2026 bingo card. I am deeply shaken by this development. In my time observing and participating in the evolution of Aave, I have seen many challenges, but the departure of Chaos Labs is, without hyperbole, the most bearish news regarding our risk management infrastructure that we have ever faced.

In the fragile ecosystem of DeFi, players of this caliber do not grow on trees. Chaos Labs has been, unequivocally, the finest risk management partner Aave could have ever asked for. Their precision, their tooling, and their proactive stance have been the bedrock upon which our v3 dominance was built. Losing them leaves us in a precariously weak position.

The “cold water” reality is that there is no easy replacement. There is no line of equivalent experts waiting at the door.

And let me be absolutely clear on the path forward: Aave Labs cannot and must not absorb these responsibilities. Governance 101 dictates that risk management must be performed by an independent, external provider. This is the “Separation of Powers” that keeps our protocol honest. You cannot have the builders of the protocol acting as the sole arbiters of its risk parameters.

I truly hope that the leadership at Aave Labs is listening to the room right now.

Well said. Replacing tacit knowledge is not straight forward. Experts who have been handling 24/7/365 security of V3 for years cannot just ‘hand it off’ to Labs and expect them to manage it in the same way the previous owners would have… especially when presented with situations newer/less experienced folks haven’t encountered and seen before. Hand-offs and transitions are filled with messiness and risk. A lack of contextual experience is a massive risk and one that needs to be prioritized with the utmost attention and care. V3 is the product that generates 100% of the revenues for AAVE. There is nothing more important than keeping it secure, operational, and trusted. AAVE has been built by its people, and we have lost a lot of good ones in the past 3 months. Labs has assured us they can be replaced, but we have all seen new people on the job. We all know how an experienced technician knows the ins and outs of their machine. We all know a new person using that machine would requires years of operating it to learn it in the same way. I believe Aave having continued access to valued SPs who have who have owned these items in the past through multi-year retainer support agreements is vital when situations arise where documentation doesn’t suffice. It is the most critical thing. I trust Labs with V4, but I think it’s critical to retain a sufficient level of experienced V3 talent.

So many words, yet somehow you forgot to mention that due to the incorrect operation of your oracle, 10938 wstETH were liquidated. Liquidators were able to make 512 ETH from this. A small portion, namely 141 ETH, was recovered, but the remaining amount will be reimbursed at the expense of the DAO.

I want to thank Chaos Labs for their work over the past few years. They have been a valuable partner to the Aave DAO, and their contributions have helped Aave grow and mature. V3 and V4 will continue to operate as normal and there’s no impact on the protocol.

I also want to address a few points to ensure the community has a clear view of what happened and the path forward.

We recently discussed a proposal with Chaos Labs that included several requests that we did not support. These included designating Chaos Labs as the sole risk provider for the protocol, making their vaults the exclusive default for Aave’s B2B deals, and formalizing an expanded price oracle partnership across all new deployments with a minimum TVL secured requirement.

Chainlink is and always has been the primary price oracle provider for Aave when available, and we were not prepared to formalize an alternative arrangement as a condition of the engagement. We believe the two-provider risk manager model makes Aave more resilient, and we were not interested in granting sole provider status or vault exclusivity. They determined the engagement did not meet their requirements without these terms, and we respect that decision.

We also discussed their desire to increase their budget and we were supportive of increasing their it by approximately 2x to accommodate the expanded scope of V4, which has been in development for over two years. We also suggested their budget could continue to grow as the work scaled further. That said, the DAO could have disagreed with this take and voted for a higher increase right away if it were proposed.

Regarding Aave V4, the architecture introduces isolated risk markets through Spokes, new liquidation logic, and governance-controlled parameters that give the DAO more granular control over how it manages risk across different markets and assets. We held multiple risk calls with Chaos Labs employees in attendance well before V4 went live, and the feedback we received during those sessions does not match the concerns expressed in their post.

The V3-to-V4 transition has no forced timeline and Aave V3 will continue to operate for as long as the market demands it. The rollout will run in parallel, with V4 going live only after the architecture is fully proven in production.

For the immediate future, Aave Labs will work closely with Llama Risk to ensure a smooth transition and uninterrupted risk coverage for the protocol. Llama Risk already serves as a risk contributor to the Aave DAO and has deep familiarity with the protocol’s architecture and parameters. We support Llama Risk increasing their budget to accommodate this additional workload and expand their team as needed. Aave Labs will also contribute engineering and analytical resources wherever necessary to support this transition.

This transition also leaves the door open for other risk service providers to join the DAO. Aave has always benefited from a diversity of contributors, and we welcome new teams who want to build on and secure the protocol.

We have managed service provider transitions before, and we are fully prepared to manage this one. We remain focused on the protocol’s security and the V4 roadmap.

Thank you for the context, Stani. It is helpful for the DAO to understand the specific terms that led to this impasse. Transparency is our only defense against speculation.

However, I must be blunt: this outcome reflects a lack of coordination that Aave cannot afford. A protocol of this magnitude should be able to manage transitions through joint announcements that demonstrate maturity from all parties. Instead, we have a public ‘breakup’ that opens a massive window for FUD on X and elsewhere.

Every time a core contributor leaves—first BGD, then ACI and now Chaos —it feels like a plank being pulled from the ‘Ship of Theseus’. While I support the principle of not granting ‘sole provider status’ to maintain decentralization, we must improve our communication framework. We shouldn’t be reading about these departures in surprise forum posts.

I hope we can find new service providers quickly, but let’s not kid ourselves: players of this caliber do not abound. We need to ensure that the ‘room’ for new contributors is welcoming, but also that our current exits don’t burn the bridge on their way out.

Thank you, Chaos Labs, for the tremendous work you have done over the years.

Very much supporting the statement

respect for standing for your values and standard, and all the best for the next chapter !

Another great SP walks away from Aave within such a short timeframe… what a shame to see this happening with what was one of the best DeFi projects out there

We acknowledge Chaos Labs’s sudden announcement to step down from their Aave risk mandate.

LlamaRisk has served the Aave ecosystem for the past two years, delivering risk frameworks, parametrization, and quantitative models underpinning all Aave deployments across V3, V4, and Horizon. We build protocol-owned risk infrastructure on Chainlink’s CRE and serve as the only independent legal and regulatory research capability within the Protocol. Aave’s risk management has never rested on a single point of responsibility.

We are fully prepared to fill all operational gaps and will ensure full continuity of risk services. Over the next week, we will present a detailed proposal, including immediate changes to delegated risk systems, to renew our unwavering commitment to the Aave ecosystem. Aave will win!

It’s Not How You Start, It’s How You Finish

I want to start by repeating something I previously told Stani: It doesn’t matter how you start; what matters is how you finish.

Let’s do a quick recap. Since December 2025, as a direct result of the dirty political games and intimidation tactics by Aave Labs and Stani, we have seen ACI, BGD Labs, and now Chaos Labs leave. Let’s be perfectly clear: this exodus happened entirely because of Stani’s greed for money and power.

AAVE is not indispensable. There are plenty of strong alternative protocols out there for investors, VCs, and the community. Instead of Aave Labs asking, “Why should they choose Aave?” and striving to be more competitive and decentralized, we see them moving in the exact opposite direction over the past 6 months. Just look at the price chart and the melting TVL over this period. If this trend continues, a potential ETF approval will be delayed, and institutional investors have already shifted their focus to Morpho anyway.

Stop treating people like fools and put an end to your cheap propaganda on X (Twitter). The DAO never resorted to these tactics when it was actually functioning. Aave V4 hasn’t even managed to gather $10 million in TVL so far, and you are embarrassing yourselves further with this “we are proceeding securely” nonsense. There isn’t a single influencer, news channel, or content creator on X that you haven’t paid off to spread your propaganda. Despite all this, the TVL you’ve collected is only $10 million; yet in return, you are unjustly pocketing a massive $50 million grant and 75,000 AAVE tokens from the DAO’s treasury.

Finally, I want to touch on this: the delegate race going on after ACI’s departure is a bit comical. The very people who previously criticized Aave Labs and its decisions are now competing to praise Labs and Stani, just to become delegates. I guess a $5,000 salary makes people forget their principles pretty quickly!

So the real question is: If Labs and Stani are monopolizing all the duties of the DAO, how decentralized is Aave right now? At this point, the voting in this forum is complete nonsense in my eyes. It’s just a theater where they pass whatever they want and give jobs to whoever they please!

Screenshot_20260406-211304864×1923 108 KB

Screenshot_20260406-211419864×1923 76.5 KB

(post deleted by author)

Would be good to address some of the accusations here, though it may be off topic.

Just look at the price chart and the melting TVL over this period.

The net deposits chart and price chart are largely correlated to the broader market trend over the past 6 months. The chart below is 2 weeks behind, but you get the gist.

Screenshot 2026-04-06 at 2.45.54 PM954×816 59.3 KB

Unfortunately the AAVE token has been in a down trend since August 2025 and has been in a structural down trend since December 2024.

Screenshot 2026-04-06 at 3.01.01 PM1718×1316 233 KB

Both dates are well before any of the drama mentioned happened.

(personal opinion) Reality is that DeFi TVL is the same as it was 4+ years ago and this is likely having knock on effects towards DeFi tokens generally - especially ones that are liquid and actually traded by the market.

There isn’t a single influencer, news channel, or content creator on X that you haven’t paid off to spread your propaganda.

I can confirm that have not paying anyone to do as you say. We’ve never even worked with KOLs at Aave Labs in my entire tenure at the company.

Aave V4 hasn’t even managed to gather $10 million in TVL so far

This feedback is a bit confusing. We’ve openly communicated that TVL would scale slowly under a security-first approach to growth. This was also communicated by the DAO as the preferred way to scale the protocol. I imagine that’s even more true given the hacks over recent months.