Simple Summary

This proposal pauses the stkwaWETH Umbrella stake tokens on the Ethereum instance.

Motivation

The appropriate Umbrella response depends on how the rsETH shortfall is ultimately recognized.

If losses are recognized in a way that impacts Ethereum Core WETH, the WETH Umbrella module becomes a live coverage surface. In that case, allowing the module to remain fully active creates avoidable coordination risk while the situation is still being assessed. A large share of the currently staked aWETH has already entered cooldown, which increases the chance of further exits before the DAO has clarity on whether the module may be needed for coverage.

Pausing the Umbrella stake token places the system into a precautionary safe state while the DAO completes that assessment. In the paused state, deposits, withdrawals, transfers, and slashing are blocked, while rewards distribution continues. This also means the module is no longer treated as slashable for automatic deficit coverage, so any use of those funds would require explicit governance action.

If losses remain isolated outside Ethereum Core, Umbrella may not need to be used. Even in that case, moving the stake tokens into a paused state is a prudent temporary control until the exposure path is fully resolved.

Specification

The proposal calls `pauseStk(stk)` on the Umbrella contract (`0xD400fc38ED4732893174325693a63C30ee3881a8`) for the stkwaWETH Ethereum Umbrella stake token. The table below summarizes the resulting state.

Copyright

All rights waived via CC0.

Umbrella stakers agreed to automatic slashing in the event of bad debt on a specific matching asset and market. At this time there is no bad debt and as AAVEs own communication has stated, rsETH on mainnet remains fully backed.

They did not agree to forfeit complete control of their assets to the whims of AaveLabs for an arbitrary and undefined period of time in anticipation of a future event. This proposal is a breach of the deposit agreement.

This proposal violates the Terms of Umbrella, and it will also cause confusion in the mechanism.

According to Documentation:

Umbrella enhances the reslience of the Aave Protocol by replacing the existing Safety Module with an automated staking system. If a deficit occurs in a given asset, Umbrella enables the corresponding staked assets to be burned and offset the bad debt, removing the need for governance decisions or manual intervention.

Slashing is triggered automatically by UmbrellaCore when a deficit in the corresponding Aave pool exceeds the configured offset.

To withdraw, users must first activate a cooldown by calling cooldown(). The cooldown period is 20 days (configurable by governance), followed by a 2-day unstake window. During cooldown, rewards continue to accrue and funds remain slashable.

I believe every Umbrella stakers thought they had agreed to bear a specific level of risk for a specific period of time, but this move seems to have turned it into bearing uncertain risk for an indefinite period.

In other words, what stakers are agreeing to is the risk of a automatic slashing when bad debt has already been actually incurred, before the cooldown and the 20 days in the cooling down, rather than “Based on our simulations, in some worst-case scenario we may see bad debts in the coming period, so let’s freeze this portion of the funds first, and then hold a meeting later to discuss how to use it.”

Pausing the Umbrella can cause confusion in the mechanism because slashing is also paused during the pause period. This can result in some funds that should have been slashed not being slashed, while funds that shouldn’t have been slashed end up bearing losses.

Umbrella is a very important asset for Aave, and Umbrella stakers are also important contributors to Aave, so we must handle this with caution. We shouldn’t set a very bad precedent; once there is human intervention, regardless of whether the slash ultimately occurs, it violates its original intent and destroys stakers’ confidence. Perhaps there will be no more Umbrella in the future.

Update:

A few hours ago, Arbitrum said it has frozen 30,766 ETH of hacker funds. If this portion of ETH is returned to the Aave Arbitrum Market and the corresponding stolen 36,166.8 rsETH collateral is burned.

Using the calculation method in the Incident Report under Scenario 1: Uniform socialization of losses, the actual unbacked rsETH will decrease from 112,204 to 76,037.

depeg = unbacked / (original supply + unbacked)
= 76,037/ (629,689 + 76,037)
= 10.77%

rsETH’s depeg is also expected to rise to 89.23%. Based on a 95% max LTV buffer, exposure will decrease from the previous 10%~ to 5~6%, which will greatly improve bad debt outcomes after liquidation.

If we calculate according to Scenario 2: Losses isolated to L2 rsETH, the new L2 rsETH backing ratio would increase to 34.68% (calculated as 40,373 / (152,577 - 36,166.8)), which may push Kelp toward Scenario 2. Maybe it becomes Scenario 3: Losses isolated to L2 rsETH (Arbitrum independent accounting).

But under any Scenario, the slashing risk faced by Umbrella will be reduced.

Mantle (The worst market of aave exprosure) just announced: Mantle is in active coordination and communication with the Aave team and affected protocols on a coordinated recovery plan, including potential treasury participation.

Therefore, I suggest that the proposal about pausing the Umbrella should be stopped immediately. Once the proposal is executed, even if no slashing ultimately occurs, it will undermine the Safety Module’s credibility with stakers and potential participants.

Thank you for the proposal. I understand the precautionary logic behind pausing the Ethereum stkwaWETH Umbrella token, but I believe we should be very careful before changing the effective rules of the mechanism in the middle of an active crisis.

Users who staked into Umbrella did so under a clear framework, they accepted the possibility of slashing, and they also accepted a clearly defined exit path through the cooldown and withdrawal window. Changing that framework now would not simply be a technical intervention, it would alter the economic bargain that users originally opted into.

This matters not only for current stakers, but for the long-term credibility of the entire Aave ecosystem. If participants conclude that Umbrella’s effective rules can be changed precisely when they become economically relevant, confidence in the product will be materially weakened. Future participation could be harmed, and the protocol may end up damaging one of its own defensive mechanisms in the process.

It is also worth noting that pausing the module today would penalize some users who may have entered cooldown before this incident occurred, under the rules that existed at that time. Those users should not have their expected exit path changed retroactively.

For that reason, my preference would be to keep the Umbrella rules unchanged and instead focus on the more important question, how recovered funds and external contributions should ultimately be allocated once the facts are fully established.

We now have evidence that recovery paths exist. With recovered funds already emerging thanks to Arbitrum, and with KelpDAO and LayerZero still needing to assume their respective responsibilities, the priority should be to determine the net loss first, and only then decide how to compensate the actually impacted groups across Core, L2s, and, if necessary, Umbrella-related users.

In my view, that approach is more aligned with both our values and our rules, preserve predictability, preserve trust in Aave’s mechanisms, exhaust external recovery and responsible-party contributions first, and only then decide how remaining losses should be distributed or compensated.

What a shady way of doing business by Labs. I do not approve this proposal, everybody knew what they signed up for by staking in Umbrella.

Thanks for the update Aave team. As an Umbrella holder, we should not be on the hook for this rseth disaster per your docs. Mainnet aWETH umbrella signed up for chain-local risk on backed collateral, not wrapped rsETH minted against drained escrow and L2 risk. Umbrella’s T&C (https://aave.com/docs/aave-v3/umbrella…), bad debt coverage only applies to Ethereum’s V3 Core Market. That means that an aWETH Umbrella staker on Ethereum mainnet shouldn’t be punished for an unbacked LRT on other chains.

As you mentioned, Aave V3 on mainnet is fully collateralized because rsETH on mainnet is fully collateralized.

Umbrella stakers on mainnet by definition did not sign up to cover losses from another chain.

Pause it. Kelp DAO are very slow, I doubt they will be able to find a solution in 2 weeks.

Thanks

Hey all,

I want to add some additional color to this proposal.

Umbrella’s asset slashing is permissionless and can trigger as soon as bed debt is realized. The issue here is that the inputs it would act on, rsETH’s exchange rate and the final underlying ETH loss scenario, are unknown due to abnormal and rapidly evolving conditions.

Allowing the mechanism to fire beforehand risks slashing funds in response to a deficit that may not ultimately require Umbrella funds, or may require a different response.

The pause is a temporary hold while Aave service providers continue to assess the situation and we intend to unpause / move forward as quickly as the situation allows. It also allows us to explore solutions that minimize the need to slash Umbrella.

Awesome,

Keep us updated.

How long will this last? What timeframe should we aim for?

This delay is perceived by users as an indication of the platform’s unreliability and accelerates user churn.

Thanks for the clarification. That makes sense. So i am now on the AYE side.

Thanks for the additional context, the point about permissionless slashing under uncertain inputs is well taken. If rsETH’s final exchange rate and the ultimate ETH loss scenario are still unresolved, I understand why allowing Umbrella to trigger immediately could produce the wrong outcome.

That said, I think there is an important complementary principle that should be made explicit in this discussion.

If Umbrella is ultimately used as a backstop, then any later recoveries should first replenish the losses absorbed by Umbrella, at least up to the amount it covered. Otherwise, Umbrella would be taking first loss on a gross basis, while recoveries are distributed on a different basis later on. That would be economically misaligned.

In traditional insurance terms, a backstop that pays out generally has priority on subsequent recoveries up to the amount it has covered. The same principle should apply here. If Umbrella funds are used, Umbrella should not simply absorb losses and then watch external recoveries flow elsewhere.

This is why I agree the focus should be on minimizing premature slashing. But if the DAO pauses the module as a temporary measure, it would be helpful to also clarify the recovery waterfall in advance:

1. external recoveries,

2. responsible-party contributions,

3. net loss determination,

4. and only then, if still necessary, Umbrella usage with any later recoveries first restoring what Umbrella absorbed.

I think making that principle explicit would improve fairness, preserve confidence in Umbrella as a product, and better align any eventual intervention with how a true backstop mechanism should work.

If the DAO proceeds with a pause, it would also be advisable to take a clear reference snapshot or accounting record of Umbrella exposures, including positions already in cooldown, so that any later recovery or compensation process can be handled transparently and fairly.

The motivation behind this proposal is clear both here and in the LlamaRisk incident report where preventing capital flight is the term used.

If the intention is to prevent premature firing of the mechanism, then a commitment to not touching umbrella beyond 20 days from the incidents occurence would be appropriate.

Otherwise one would have to assume this is an attempt to hold user funds hostage beyond the time frame they agreed to.

pause it. slash umbrella 100% to cover much of the bad debt. this is what they signed up for

Sad that Aave Labs still doesn’t understand how Umbrella works :)
But proposing to do something all the time.
Shitposting is the way of winning?

Thank you for the clarification. I believe this will make it easier for many Umbrella stakers to accept, and I also appreciate the team’s hard work.

However, I must point out that regardless of whether the purpose is to protect Umbrella funds from unreasonable slashing, once a human manually hits the pause button, all funds involved will be subject to dispute in future slashing events. This is because it is effectively a temporary update to the terms, and it then becomes unclear whether the new terms and coverage scope will be accepted by existing stakers, and whether stakers need to re-join under the new agreement framework. If pausing is equivalent to terminating the Umbrella’s responsibility for covering all subsequent bad debt, then I believe stakers would be very willing to accept it, but this still would trigger another round of controversy.

Why I mentioned in my previous reply that this could cause confusion in the mechanism, let’s assume a scenario: when the Umbrella is paused, bad debt does not ultimately occur on Ethereum. Then the pause is lifted. However, part of the unstake window happens to overlap with the pause period, and withdrawals during that time are blocked. Those users might then enter another 20-day cooling period. After the pause is lifted, users who were originally later in the cooldown queue might end up getting earlier withdrawals. If a slashing then happens at that point (not caused by rsETH), it would lead to a new dispute.

And according to the latest: Arbitrum has frozen funds, Mantle has committed to providing financial assistance, the two worst L2 cases of bad debt have been greatly improved. Based on feedback from the Kelp DAO, with support from all parties, they have no intention of socializing the lost of a bridge exploit, because doing so would look extremely irresponsible.

In short, I’m not against Pause in any sense. I just think that during such special times, the proposal’s purpose is to make things simpler and clearer, which is more conducive to solving problems, rather than making them complex and vague. So apply Pause cautiously, not prematurely. Better to wait for clear Ethereum bad debt risk; Pause may be preferable if Umbrella faces unexpected slashing not covered by its design.

BTW, Here’s a question that many people might not have considered: Pause can prevent new deposits. Whether you believe it or not, there are still new stakers joining Umbrella. Maybe because their aWETH is stuck, so they decide to get some extra rewards instead. As the situation becomes clearer over time, it’s possible that more people will choose to join. Bulls join, bears leave, and the Pause will end this kind of market.

Umbrella’s asset slashing is permissionless and can trigger as soon as bed debt is realized?

In this case how is bad debt realized? If it’s gonna be a manual configuration from Aave, or at least a pretty long process from Kelp DAO to reassign the value of rsETH where governance has a lot of time to discuss then can Aave execute the pause right before the event happens?

The motivation listed in this post is contradicting with the Incident report where it feels like Aave wants to preserve the right to slash Umbrella module in case bad debts happen in the future. As an Umbrella participant, for sure it’s on me to be stupid enough to sign up for just a little upside with enormous risks, just because I believe the risks are properly managed by Aave team when onboarding assets and most of the risks would come from market condition alone. However, it’s unjustified if Aave treats Umbrella as expendable funds, it’s clear that Aave and related parties have responsibilities in letting this happen. We are also Aave users and creditors, we deserve all of the cares and priorities from the team, and we should only be impacted after all the efforts of the DAO and the lab to protect us.

With that spirit, if the bad debts realization event is predictable, the pause should only be executed right before that to protect the Umbrella module in seek of resolution, otherwise if this doesn’t get resolve quickly, we should be able to exit the module normally after the cool down period.

I wholeheartedly agree with the concern about changing terms, buuuuuut there’s a catch-22 here. Leaving Umbrella unpaused means it’s susceptible to an rsETH unpause. If Kelp socialises losses and rsETH reprices, Umbrella gets automatically slashed before anyone has a chance to negotiate with the responsible parties.

kberg’s clarification is actually reassuring on this point. The pause is to prevent premature slashing under uncertain inputs, not to hold funds hostage for a future manual slash. That’s actually aligned with what we want, which is Umbrella not being wiped out for a deficit that may never materialise on mainnet.

That said, Kassavandrea is right that the pause needs a defined boundary. An indefinite freeze with no commitment on timeline or scope is a change to the terms regardless of intent. If the purpose is to protect Umbrella from firing prematurely, then there should be a clear commitment that if no mainnet bad debt materialises, the pause lifts and stakers exit on their original terms.

I believe ALL Aave users should be made whole but the only way that happens is by bringing in outside money from the parties who caused this. Aave’s reputation has already been hit, but if Umbrella is fully slashed for an L2 bridge failure that Aave confirmed did not affect mainnet, Aave will have no insurance module going forward. Nobody will stake in it again, and the protocol will be permanently uninsured.

I am writing to formally oppose the proposal to pause the Umbrella protocol. This move violates the core terms of the system and introduces a dangerous precedent of manual intervention in a protocol designed for automated resilience.

1. Violation of Immutable Automation The Umbrella documentation is clear: it is an automated staking system designed to remove the need for governance decisions or manual intervention during a deficit. Stakers agreed to bear a specific level of risk based on code-driven slashing, not a discretionary system where governance can freeze funds based on worst-case simulations.

2. Mechanism Confusion & Inequity - Pausing the protocol during a period of potential bad debt creates a blind spot. It prevents the system from functioning as intended, potentially allowing some funds to escape a necessary slash while unfairly penalizing others later. This undermines the technical logic of UmbrellaCore.

3. Moral Hazard & Participant Confidence - There is a clear moral hazard when governance members—who may have no personal capital in the Umbrella—seek to treat staker funds as a discretionary insurance pool. If we prove today that human intervention can override the Safety Module’s automation, we destroy staker confidence and the long-term viability of the protocol.

4. Updated Risk Assessment - The situation has materially improved. With Arbitrum freezing 30,766 ETH of hacker funds and Mantle coordinating on a recovery plan, the actual depeg risk has dropped to approximately 10.77%. Based on a 95% max LTV buffer, the exposure is significantly reduced.

The “emergency” justification for this pause has been mitigated by market recoveries. We should stop the proposal to pause the Umbrella immediately and allow the protocol to function according to its original, automated intent.

THANK YOU to umbro920 for linking directly to the Governance vote-- the deficit offset is only 77 WETH. I’ve deleted the rest of this post that assumed the number was 100,000 WETH.