Author: @gnarvaja
Date: 2026-04-21
Simple Summary
I propose an external Automated Supply Cap Updater contract (with the RISK_ADMIN role) that automatically keeps supply caps tight by allowing only small short-term increases (e.g. ~3% headroom). It gradually raises the on-chain cap when utilization is high, while never exceeding the absolute governance-set cap. This can be implemented immediately with no changes to the Aave V3 core contracts. The aim is to reduce the impact of hacks like the rsETH incident, with minimal effect on normal usage. Parameters are fully governed and a Security Council can pause it if needed.
Introduction
The rsETH incident on April 18th highlighted a weakness in how supply caps currently operate in Aave V3. Even with reasonable caps set by governance and Risk Stewards, a large gap between the on-chain total supply and the supply cap allowed an attacker to deposit a significant amount of newly-minted tokens as collateral in a short time window and borrow against them.
To address this, I propose an external Automated Supply Cap Updater contract that holds the RISK_ADMIN role. This solution can be applied immediately without any changes to the Aave V3 core contracts. The contract would keep the effective supply cap very close to the current supply by automatically increasing it in small, controlled steps when supply rises, while never exceeding the absolute maximum cap defined by governance or Risk Stewards. The goal is to strictly limit how much supply can increase in a short period (e.g., ~3% headroom), making it much harder for similar exploits to have a large impact.
How the Cap-Updater would work (high-level)
The contract would monitor each reserve and, when the supply ratio exceeds a configurable threshold (for example, 97%), automatically increase the on-chain supply cap enough to restore a small headroom (e.g., 3%). Increases would be limited to a configurable frequency (default: once per hour). The updater would always respect the absolute governance-set cap as a hard upper bound.
Key benefits:
-
Significantly reduces the impact of hacks or malicious minting exploits by restricting short-term supply surges.
-
Almost no friction for legitimate users β normal organic growth is easily accommodated with hourly small increases.
-
Fully automatic under normal conditions, with no need for manual intervention.
-
Zero changes required to the Aave V3 core protocol.
A Security Council (using a 1/N multisig setup) could pause the updater immediately if needed. Reactivation would require a higher threshold, but can be delegated to the same council. The same entities currently responsible for risk parameters (Risk Stewards + Governance) would control all updater settings.
Proposed per-reserve parameters (all configurable via governance)
-
Absolute Supply Cap β the current governance/Risk Steward value (hard upper bound the updater can never exceed).
-
Target Supply Ratio β e.g. 97% (the ratio the updater aims to maintain).
-
Max Supply Ratio β e.g. 98%. Threshold above which the updater increases the cap, to match the target supply ratio.
-
Min Supply Ratio β e.g. 95%, threshold below which the updater decreases the cap to keep headroom tight.
-
Update Period β default 1 hour (minimum time between updates for the same reserve).
This can be implemented quickly as a standalone external contract granted the RISK_ADMIN role. It is fully reversible and can start with a limited set of reserves.
Iβm open to all feedback, suggestions, and improvements from the community. Iβm also available to draft a reference implementation of the contract if that helps clarify the design.
Looking forward to your thoughts!