This is a strong proposal to post-rsETH incident, and it addresses a fundamental gap in how lending protocols manage risk.
The core issue that I’m seeing is that supply caps are set by governance (slow, discrete), but risk accumulates continuously (fast, fluid). Static caps calibrated for steady-state conditions leave a gap between current supply and the cap ceiling — and that gap is what attackers exploit. They don’t need steady-state access; they need burst access. The supply cap updater closes that gap by making the effective cap dynamic — always tight to current supply, expanding only as fast as legitimate growth requires.
3% headroom would have reduced Core exposure from 53.8K to 15K ETH and Arbitrum from 36K to 715 ETH. That’s a 72% and 98% reduction in concentrated collateral risk, respectively. That’s effectively the difference between a manageable bad debt event and the $290M+ liquidation cascade that actually happened.
What I particularly like is that the design preserves governance sovereignty. The contract can only tighten caps or raise them within bounds — it can never exceed the governance-set maximum. The Security Council retains a kill switch. This is the right separation of concerns: governance sets policy, automation executes within policy bounds.
Two design considerations worth stress-testing:
1. Reserve-specific parameterization. A 3% headroom on WETH (deep liquidity, battle-tested oracle) is a different risk proposition than 3% on any newer LST/LRT with thinner liquidity and more infrastructure dependencies. Higher-risk collateral types should have tighter headroom — possibly 1–2%.
2. Adversarial feedback loops. What happens when the automated tightener interacts with other automated systems? If bots deposit to fill caps that auto-expand, you get a feedback loop. The hourly cadence limits this, but simulation data on adversarial deposit patterns would be valuable before moving to AIP.
Strong support. Aave’s risk management moving from reactive governance votes to proactive automated bounds is a maturity milestone for the protocol.
-– Robby Greenfield | tokedex.org