[TEMP CHECK] Post-rsETH Collateral Framework: Tier-Based LTV Reductions and Wrap-Depth Ineligibility Limits

Author: Robby Greenfield IV | Tokédex

Tags: @LlamaRisk @AaveLabs @stani @MarcZeller @ACI

Summary

The rsETH incident is not a Kelp problem or a LayerZero problem. It is an Aave collateral-listing problem. Aave’s own service providers have confirmed the protocol faces between $123.7M and $230.1M in bad debt on $221.39M of attacker-posted collateral (LlamaRisk/Aave Incident Report, April 20, 2026). Every one of those dollars sat behind a 93% LTV / 95% LT eMode configuration (Proposal 311) granted to a token that, by the time it reached our markets, had been wrapped four times: ETH or LST → Kelp rsETH (EigenLayer-restaked) → LayerZero OFT → wrsETH (L2 copy). The final wrap held the risk that broke the asset, and we underwrote it at the same LTV as a vanilla LST.

“A bridged liquid restaking token and native ETH should never receive the same LTV. The seven-factor score makes this mathematically impossible.” - Anyone Sensible

I am proposing an Aave-specific operationalization of a retrospective framework I developed simply referred to as the “Asset Safety Tier.” The ask is narrow and surgical:

1. Classify existing collateral by a seven-factor tier score (five structural factors + two market factors)

2. Apply interim 5–15 point LTV reductions on Tier 3 assets as a staged path toward the framework’s T3 ceiling

3. Make assets scoring in the Tier 4 band (total score ≥ 10) ineligible as collateral — meaning collateral eligibility is permanently revoked while existing aToken holders retain the ability to exit

No nuclear cuts. No forced liquidations of existing positions. Just a credible, deterministic ceiling on how many wrappers Aave is willing to underwrite, and a clean revocation pathway for assets that cross it.

Why this, why now

The status quo failed a stress test we authored ourselves. Service providers listed rsETH on Ethereum Core and Ethereum Prime and its bridged form wrsETH on nine L2 instances (Arbitrum, Avalanche, Base, Ink, Linea, Mantle, MegaETH, Plasma, zkSync) — 11 deployments in total (LlamaRisk report). They put rsETH in eMode at 93% LTV / 95% LT (Proposal 311) and raised supply caps enough for 89,567 stolen rsETH ($221.39M) to settle in single-digit minutes across seven attacker addresses at Health Factors of 1.01–1.03 (LlamaRisk report).

The attacker borrowed 82,650 WETH ($190.86M) and 821 wstETH ($2.33M) directly from Aave (LlamaRisk report). Third-party on-chain reconstruction puts cross-protocol borrowing (Aave + Compound + Euler) in the $200–236M range (DeFi Prime analysis), though only the ~$193M Aave component is primary-source documented.

The blast radius:

• Aave TVL fell from $26.4B to $17.95B in 48 hours — a $8.45B drop (CoinDesk, April 20, 2026)

• Total DeFi TVL fell $13.21B (CoinDesk)

• AAVE token fell 16% within 24 hours of the exploit (CoinDesk, April 19)

• The Umbrella WETH module held only 23,507.63 WETH (~$54.06M) against up to $91.8M in Scenario 1 bad debt on Ethereum Core alone, and 18,922 of 23,507 aWETH (80%) had entered the unstaking cooldown by the time the incident report was published (LlamaRisk report)

• The DAO treasury holds $181M total ($62M ETH-correlated, $54M AAVE, $52M stablecoins); 2025 revenue was $145M; 2026 YTD revenue is $38M (LlamaRisk report)

Under the 7-factor scoring below, wrsETH on L2 scores 12 of 14 — Tier 4, ineligible. It was listed at 93% LTV. The gap between that score and that LTV was the protocol’s margin of catastrophic error, and it is now a line on the Umbrella module’s balance sheet.

This was foreseeable at the listing stage. The bridge-hack base rate is not ambiguous. Summing just the six marquee failures — Ronin ~$600M, Wormhole ~$325M, BNB Chain Bridge ~$570M attempted / ~$100M net realized, Nomad ~$190M, Harmony Horizon ~$100M, Multichain ~$130M — yields ~$1.9B in cross-chain bridge losses across 2022–2023 alone. Comprehensive industry totals for 2022 alone exceed $2B (Chainalysis 2022 Crypto Crime Report summary). Aave was the lender of last resort for an asset whose fourth wrapper inherited that exact failure surface.

Precedent exists for acting decisively. In August 2023, Proposal 286 set CRV LTV → 0 on Aave v2 Ethereum with 100% ‘Yes’ votes (CoinDesk, Aug 2, 2023; Crypto Times). The exact rationale Gauntlet cited — impeding further borrowing against a collateral type whose risk profile had materially shifted — applies verbatim here.

The TradFi precedent is older and larger. Singh (IMF WP 11/256, 2011) documents that post-Lehman, the reduction in source collateral combined with collapse in its velocity “may have been a $4–5 trillion reduction in collateral” when rehypothecation chains broke (IMF Working Paper 11/256). Notably, the U.S. caps rehypothecation at 140% of a client’s net debit balance under SEC Rule 15c3-3 / Reg T; the UK historically has no such cap (Singh & Aitken, IMF WP 10/172; ICMA summary). DeFi has no cap at all. That is the problem this proposal addresses.

F25 Tier Scoring — Seven Factors, Aave-Applied

Each factor scores 0 (safest), 1 (moderate), or 2 (highest risk). The score is the unweighted sum (0–14). Factors are independent failure vectors; they do not offset each other.

Structural factors (1–5) capture architecture risk that does not change with market conditions — these are immutable properties of the asset’s construction.

1. Redemption posture — 0: instant at par / 1: queued with delays / 2: uncertain or bridge-gated

2. Rehypothecation depth — 0: ≤1 wrapping layer / 1: 2–3 layers / 2: ≥4 layers

3. Bridge hops in provenance — 0: native L1 issuance / 1: one hop / 2: two or more

4. Regulatory posture — 0: MiCA / NYDFS / MAS or equivalent / 1: light-touch regime / 2: none

5. Oracle fragility — 0: Chainlink + CAPO / 1: single provider / 2: internal exchange rate

Market factors (6–7) capture what Chaos Labs, Gauntlet, and MakerDAO’s risk frameworks all identify as the primary LTV calibration drivers. Omitting them produces tiers that are structurally correct but practically wrong.

6. Volatility (90d annualized) — 0: <50% / 1: 50–100% / 2: >100% (source: CoinGecko; stablecoins default to 0, ETH-correlated assets to 1)

7. Liquidity depth (DEX reserves) — 0: >$500M / 1: $50–500M / 2: <$50M (source: GeckoTerminal). MakerDAO explicitly sizes debt ceilings to liquidation liquidity — Aave has no such mechanism today.

Sum → tier. Tier 1: 0–3. Tier 2: 4–6. Tier 3: 7–9. Tier 4: 10+.

Why multiplicative risk matters (Factor 2)

Each wrapping layer adds an independent failure vector. If each layer carries 2% annual failure probability, three layers produce combined failure probability of 1 − (0.98³) ≈ 5.88% — roughly triple the per-layer rate. Good backing does not reduce the number of things that can break; it only reduces the probability of any single failure. This is why rehypothecation depth earns its own factor alongside custody quality, not as a substitute for it.

Applied to current Aave v3 collateral

The rsETH / wrsETH split matters: the L1 native token scores at the upper bound of T3 (9/14), while the L2 bridged form adds bridge-hop risk and escalates to T4 (12/14). This is the core problem the framework surfaces — two tokens sharing a name and an issuer can sit in different tiers because wrapping and bridging add independent failure vectors.

Source chains (publicly documented by issuers):

• weETH: ETH → eETH (rebasing LRT) → weETH (non-rebasing wrapper, EigenLayer-coupled) (EtherFi docs)

• rsETH: ETH or LST (stETH/sfrxETH/ETHx) → Kelp rsETH (EigenLayer-restaked) → LayerZero OFT → wrsETH on L2 (LlamaRisk report confirms OFT architecture)

• ezETH: ETH/LST → ezETH → optional L2 wrap

• sUSDe: USD/stablecoin → USDe (delta-neutral basis) → sUSDe

Tier caps the framework prescribes

Proposed Parameter Changes — Interim, Moving Toward Framework Caps

The surgical path below does not bring Tier 3 assets to the framework’s 68% E-Mode cap in one step. It moves them partway and commits to a review cycle. This is calibrated for governance stability, not analytical purity — the framework target stands as the eventual ceiling.

Arithmetic behind the interim cut: Max theoretical leverage from looping = 1/(1−LTV). At LTV 93%, that’s ~14.3x; cutting LTV to 83% drops max theoretical leverage to ~5.9x — a ~58% reduction in loop capacity. Peak borrow-against-collateral drops from $0.93 to $0.83 per $1, expanding the unborrowed buffer from 7¢ to 17¢ (2.4× buffer increase). The framework’s T3 cap of 68% would take this further: max leverage 3.13x, buffer 32¢. The interim cut closes roughly 40% of the gap between current and framework in the first governance cycle. (For context: Proposal 311 cites a Prime HF-1.01 leverage of 22.44x at the 96.50% LT — Proposal 311.)

This is calibrated against the 15.12% Scenario 1 depeg that the incident report models (LlamaRisk report) and well above the current Umbrella coverage-to-exposure ratio of roughly 59% ($54.06M / $91.8M on Ethereum Core).

TVL Impact — Quantified, Defended

Per the ACI ecosystem-contribution retrospective published via ChainCatcher in April 2026 (source):

• weETH holders drive 57.9% of all WETH borrowings, $3.27B in WETH debt, $18.9M/year in reserve factor income

• All ACI-introduced LRTs together drive 75.1% of total WETH debt and $24.4M/year in reserve factor income

• WETH is the single largest revenue-generating asset on Aave, with 2025 revenue of $37M (28% of total protocol revenue)

• ACI has drafted over 35 governance proposals related to LRT onboarding and eMode configuration

• WETH is 39.49% of all loans on Aave; Aave’s total outstanding borrows are $17.82B with $14.24B on Ethereum (CoinDesk)

Derived impact envelope (this is my synthesis, labeled as such):

• wrsETH eligibility revocation across 9 L2 instances + rsETH continued freeze on Ethereum Core/Prime (already non-collateral in economic reality): no incremental TVL impact beyond what the existing freezes already enforce

• Interim LTV cuts on weETH + ezETH + sUSDe: a 10-point LTV cut reduces max loop leverage by ~58%. Applied to the $24.4M/year of LRT-driven reserve-factor income (ACI retrospective, ~17% of the DAO’s $145M 2025 revenue), this implies a 30–60% haircut on LRT revenue, or ~5–10% of total protocol revenue at the interim step, and ~10–15% at the framework cap.

• Total plausible revenue impact at interim: ~$7–15M/year against 2025 revenue of $145M

Against that:

• One incident has destroyed $8.45B in TVL in 48 hours (CoinDesk)

• Produced $123.7M–$230.1M in bad debt (LlamaRisk report)

• Forced an active forum debate about whether to slash Umbrella stakers on an asset class the DAO did not fully underwrite with eyes open

A 5–10% revenue haircut to permanently close this failure mode is the cheapest insurance Aave will ever buy. Singh’s IMF work is the cautionary tale: when rehypothecation chains break in TradFi, total system collateral contraction is multiples of the headline loss. We just watched a DeFi-scale version of that dynamic in real time.

Why Tier 4 Is Ineligible Specifically

Tier 4 begins at a score of 10. To reach 10 on a 14-point scale, an asset must pile failure vectors across at least five of the seven factors — it is structurally impossible to score 10+ on a genuinely safe asset. wrsETH scored 12 because it fails on redemption (bridge-gated), bridge hops (L2 via OFT), regulatory posture (none), oracle (internal exchange rate), and liquidity depth (thin DEX), with one additional point each for rehypothecation depth and volatility. Any one of those failures would be a risk. Five of them compounding in one asset is a listing error.

The asset was not broken because ETH restaking is broken, and not because Kelp’s accounting is broken. It was broken because the fourth wrapper — the LayerZero OFT adapter — was configured as 1-of-1 DVN and could be forged with a single inbound packet, releasing 116,500 rsETH from the Ethereum-side adapter (balance dropped from 116,723 to 223 rsETH in one block) (LlamaRisk report).

Every wrap is a new trust assumption. By the time a token lives on an L2 through a bridge, there is also legal ambiguity about whether L1 and L2 holders share a pari passu claim — a question Aave is currently litigating in real time on the very forum this post appears on. Forum user gadget noted on April 20 that “All rsETH holders have equal redemption rights (pari passu), as per both the Issuer’s and the Service Provider’s documentation and statements prior to the incident. Preferential treatment of L1 holders over L2 holders would violate these rights” (Aave forum, April 20, 2026).

Aave cannot practically audit the DVN configurations, redemption mechanics, and legal terms of every bridge adapter underlying every LRT on every chain we deploy on. What we can do is declare a ceiling: the seven-factor score must stay below 10.

LlamaRisk’s own Liquid eMode research already endorses this direction, noting that Aave v3.2 allows “Soft Onboarding of new assets, offering more flexibility in isolation. For instance, ezETH can be introduced with 0 LTV and 0 LT in regular mode, ensuring it does not affect overall protocol risk” (LlamaRisk research). Extend that conservatism to Tier 4 assets permanently.

What I Am Asking For Specifically

@LlamaRisk — Given Chaos Labs’ departure on April 6, 2026 (CoinDesk), you are now the primary risk provider. I’d love to work with you to publish the following within 14 days:

1. a tier classification of every current Aave v3 collateral asset under the 7-factor schema above — or an equivalent of your own design that explicitly includes structural and market factors
2. a proposed mapping to LTV/LT deltas consistent with those tiers, and
3. explicit criteria under which an asset becomes ineligible.

Your Liquid eMode research already concedes that soft onboarding with 0 LTV and 0 LT is correct for uncorrelated assets; extend that reasoning to assets scoring in the Tier 4 band.

@AaveLabs / @stani — Aave’s public statement that the rsETH markets have been frozen because “Aave’s contracts have not been exploited and this is an exploit related to rsETH” (Aave X announcement, April 2026) is technically accurate but structurally insufficient. The exploit happened outside Aave; the listing decision, the 93% LTV, and the 11-chain deployment happened inside Aave. Please commit publicly to a deterministic, multi-factor collateral-tier framework — of the kind every professional risk manager uses — as part of the V4 rollout, before any additional LRT or bridged-LRT listings.

@MarcZeller / @ACI — Your retrospective documents that ACI has drafted over 35 governance proposals introducing LRTs to Aave, and that those LRTs generate $24.4M/year in reserve factor income representing 75.1% of total WETH debt (ChainCatcher). That is the revenue base that should be defended — not torched, but priced correctly. A 10-point interim LTV cut on weETH is a rounding error against the Scenario 2 bad debt range of $230.1M. Publicly co-sponsor this framework or publish the counter-framework.

What This Is Not

This is not a proposal to delist weETH, ezETH, or sUSDe. It is not a proposal to zero LTVs or shut down LRT looping. It is not a pause on V4. It is not a referendum on Aave Labs, Chaos Labs’ departure, or any adjacent governance dispute.

It is a proposal that Aave adopt a deterministic, seven-factor asset safety framework — covering structure, regulation, oracles, volatility, and liquidity — and stop accepting collateral that scores in the Tier 4 band. Everything downstream of that — the LTV deltas, the Tier 3 treatment, the revenue implications — is arithmetic.

I would love to help bring this to the community in any way it sees fit, and have several proposals on how Aave can do due diligence on assets in real time on the basis of its collateral.

The rsETH incident has handed Aave governance a free lesson it would have otherwise paid several hundred million dollars to learn. Let’s not waste it.

-– Robby Greenfield IV | Tokédex

Sources Cited (in order of appearance)

1. LlamaRisk / Aave service providers, rsETH Incident Report (April 20, 2026): https://governance.aave.com/t/rseth-incident-report-april-20-2026/24580

2. Aave Governance Proposal 311 (rsETH/wstETH eMode): https://vote.onaave.com/proposal/?proposalId=311

3. DeFi Prime, “The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge”: https://defiprime.com/kelpdao-rseth-exploit

4. CoinDesk, “The $13 billion DeFi wipeout” (April 20, 2026): https://www.coindesk.com/markets/2026/04/20/defi-tvl-drops-more-than-usd13-billion-in-two-days-following-kelp-dao-hack

5. CoinDesk, “Aave records $6 billion TVL drop” (April 19, 2026): https://www.coindesk.com/tech/2026/04/19/aave-records-usd6-billion-tvl-drop-as-kelp-hack-exposes-structural-risk-at-defi-lender

6. Chainalysis, cross-chain bridge hacks 2022 summary: https://www.chainalysis.com/blog/cross-chain-bridge-hacks-2022/

7. CoinDesk, “Aave Should Block Curve Token Borrowing” (Aug 2, 2023): https://www.coindesk.com/tech/2023/08/02/aave-should-block-curve-token-borrowing-risk-management-firm-proposes

8. Crypto Times, “Aave’s CRV Borrowing Ban Passes with 100% Community Support”: https://www.cryptotimes.io/aaves-crv-borrowing-ban-passes-with-100-community-support/

9. Singh, M. (2011), “Velocity of Pledged Collateral: Analysis and Implications,” IMF Working Paper 11/256: https://www.imf.org/en/Publications/WP/Issues/2016/12/31/Velocity-of-Pledged-Collateral-Analysis-and-Implications-25332

10. Singh, M. & Aitken, J. (2010), “The (Sizable) Role of Rehypothecation in the Shadow Banking System,” IMF Working Paper 10/172: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1653186

11. ICMA, “What is rehypothecation of collateral?”: https://www.icmagroup.org/market-practice-and-regulatory-policy/repo-and-collateral-markets/icma-ercc-publications/frequently-asked-questions-on-repo/10-what-is-rehypothecation-of-collateral/

12. EtherFi FAQ documentation: https://etherfi.gitbook.io/etherfi/getting-started/faq

13. ChainCatcher / ACI ecosystem-contribution retrospective (April 2026): https://www.chaincatcher.com/en/article/2248017

14. CoinDesk, “Aave loses key risk manager Chaos Labs” (April 6, 2026): https://www.coindesk.com/tech/2026/04/06/aave-loses-key-risk-manager-chaos-labs-amid-contributor-exodus-and-disputes

15. Invezz, “Aave price turns bullish as team moves to contain the KelpDAO exploit” (citing Aave X statement, April 20, 2026): https://invezz.com/news/2026/04/20/aave-price-turns-bullish-as-team-moves-to-contain-the-kelpdao-exploit/

16. LlamaRisk, “Understanding Aave v3.2’s Liquid e-Mode”: https://research.llamarisk.com/research/understanding-aave-v3-2-s-liquid-e-mode-a-deep-dive-into-enhanced-capital-efficiency

what about PT-susde

T3 or T4?

This is an excellent question - and one that admittedly has motivated an iteration to the framework. I’ll explain why:

When I applied the Asset Safety Tier (AST) v1.0 to Pendle’s PT-sUSDe, the framework correctly identified the asset as T4 (ineligible under standard parameters) based on redemption posture, rehypothecation depth, oracle fragility, and liquidity constraints.

But the exercise exposed a structural blind spot (which you may be hinting toward): v1.0 scored a 14-day PT and a 365-day PT identically, because none of its seven factors captured time-to-maturity as a risk dimension. For spot-like collateral this was never a problem — ETH, stETH, and USDC don’t have expiration dates. For time-bound instruments like Pendle PTs, now representing over $500M in lending-protocol collateral, duration-blindness meant the framework ignored the single variable TradFi fixed-income desks have priced since Macaulay formalized duration risk in 1938. AST v2.0 resolves this by adding Factor 8 (Time-to-Maturity Risk Window), scored 0 for all non-time-bound assets. Every v1.0 tier assignment is preserved by construction; the framework now distinguishes a near-maturity PT from a long-dated one without disturbing settled scores.

Scores (0 = safest, 2 = highest risk):

Total: 10–12 of 16, depending on maturity (i.e., it’s ineligible).

The point I want to raise: duration isn’t being priced. A 14-day PT-sUSDe and a 365-day PT-sUSDe have identical structural factors but very different exposure windows. Liquidators holding a near-maturity PT can wait out stress; liquidators holding a 12-month PT cannot. TradFi fixed-income desks have priced this since Macaulay (1938). The current LTV of 91% applies uniformly across the tenor curve, which seems incorrect.

Operationally, this would mean: LTV rotates automatically as maturity approaches, without governance overhead. A 365-day PT onboarded with a 50% LTV and supply cap would loosen toward its terminal parameters over the 12 months — mechanically, continuously. The Pendle SDK and subgraph already expose maturity_timestamp, so the oracle adapter has what it needs.

What Aave is already doing right: isolation mode, supply caps, the custom PT oracle with discount-curve logic, and the aggressive reduction from the May 2025 peak. None of that is in dispute.

What might be worth considering: a duration-graded LTV curve rather than a flat parameter. Happy to share the full framework writeup if useful — it’s general, covers the existing Aave collateral list, and preserves backward compatibility with current T1/T2/T3 assignments (ETH, wstETH, cbETH, etc. scores don’t change).

Not proposing a delisting. Proposing that the parameter surface gets a time axis, it currently lacks.

You are wrong about PTs not being able to be redeemed immediately at par. Throughout the PT’s lifespan, users can redeem the underlying asset using the exit function, exiting the position from 1 PT and 1 YT token to the original asset. These token’s value might fluctuate from the time they are accquired but there is a way to redeem the underlying asset, not through a liquidity pool, immediately.

I support the direction of introducing a deterministic collateral risk framework, but I would suggest replacing the hard tier-based LTV buckets with score-by-score linear caps.

The current framework assigns a numerical score from 0 to 14, but then collapses scores 0–3, 4–6, and 7–9 into the same LTV buckets. This creates unnecessary cliff effects. For example, a score-4 asset and a score-6 asset should not receive the same LTV cap, since their risk profiles are materially different. Treating them the same over-penalizes the lower-risk asset and reduces capital efficiency without necessarily adding meaningful safety.

A cleaner approach would be to keep the existing conservative boundary values, but interpolate between them on a per-score basis.

For example:

This keeps the original framework’s key conservative anchor points intact: score 3 remains capped at 85% / 80%, score 6 remains capped at 78% / 72%, and score 9 remains capped at 68% / 62%. But it avoids treating materially different scores as if they had the same risk.

If the framework already produces a numerical risk score, the LTV mapping should preserve that granularity. Otherwise, the scoring system becomes less useful, and the broad buckets introduce cliff effects that may unfairly penalize assets at the safer end of each tier.

You only analyzed PT from a technical and security perspective, but the fact is, if PT’s LTV is below 90%, there’s no need for it to be listed, because loopers don’t benefit from it, and listing on PT would be meaningless; no one would deposit it. Since the future expected APY for ethane airdrops is <4%, PT’s discount will also be less than 4%.So…

Support for Tiered Collateral Framework & 1:1 Redemption Standard

I strongly support this proposal and the direction it sets for Aave’s risk framework.

1. Collateral Must Be Reliably Redeemable (1:1 Matters)

At the core of any lending system is a simple assumption:

Collateral should be redeemable at or near its face value under stress.

Assets without a clear, enforceable 1:1 redemption path introduce structural uncertainty:

• Redemption may depend on secondary liquidity instead of underlying backing
• Stress scenarios can lead to depegs and cascading liquidations
• Users and the protocol are exposed to risks that are hard to quantify in advance

Moving toward a standard where collateral is either:

• directly redeemable 1:1, or
• clearly discounted via lower LTVs

is a necessary step for long-term robustness.

2. Composability Without Limits Is Not Free

The rsETH incident highlighted a key issue:

Wrapping, bridging, and rehypothecation don’t just add features — they multiply risk.

Each additional layer introduces:

• new counterparties risks
• new technical assumptions - risky***
• new failure modes - risky**

Treating these assets similarly to simpler primitives (like ETH or stETH) was a mispricing of risk.

A tiered system with explicit penalties for complexity is the correct response.

3. Tier-Based LTVs Are the Right Abstraction

Not all collateral is equal, and the framework reflects that reality well:

• Safer, simpler assets → higher LTV
• Complex, layered assets → reduced LTV
• Excessively complex assets → ineligible

This creates:

• clearer expectations for users
• better alignment between risk and leverage
• a more resilient system under stress

4. Capital Efficiency Should Not Come at the Cost of Solvency

Yes, this approach will likely reduce:

• leverage
• borrowing demand
• short-term revenue

But the trade-off is clear:

Slightly lower efficiency vs. avoiding systemic bad debt events

The latter is non-negotiable.

5. Strong Signal for the Future

Adopting this framework would send a clear message:

• Aave prioritizes sound collateral over maximum yield
• Risk is explicitly priced and constrained
• The protocol is evolving based on real-world failures

This is exactly the kind of iteration a mature DeFi protocol should demonstrate.

Conclusion

I support:

• Introducing the tiered collateral framework
• Reducing LTVs for structurally risky assets
• Enforcing limits on wrap depth and bridge exposure

Most importantly, I support moving toward a system where:

High-quality collateral is defined by its ability to reliably redeem at or near 1:1.

That standard is fundamental to maintaining trust, stability, and long-term sustainability.

Fair point on the looper economics, and you’re right that I didn’t address it directly. Let me work through it.

You’re correct that PT markets as currently structured depend on 90%+ LTV to generate meaningful looped yield. Drop to 75–80% and the recursion ceiling collapses — spot sUSDe becomes the better trade and PT deposits dry up. The May 2025 → March 2026 decline from ~$4.6B to ~$515M happened for exactly this reason: implied yields compressed, loopers exited, and the collateral base reflected that.

But I want to push back on the implicit conclusion. “The product doesn’t exist at safer parameters” is an observation about the product, not a justification for the parameters. It means PT lending collateral is structurally dependent on aggressive LTV — which is actually a really important framing. PTs aren’t passive collateral in the sense ETH is. They’re looper infrastructure. The lending protocol isn’t underwriting “an asset”; it’s underwriting a specific leveraged strategy.

That reframing matters because the risk question changes. The question isn’t “what LTV keeps PTs viable” — it’s “should lending protocols underwrite looper strategies at parameters that assume no tail event over the tenor window?” For a 14-day PT, the answer might still be yes at 91%. For a 365-day PT, the framework says probably not, because 12 months is enough time for a regulatory action, a hedge-desk failure, a protocol exploit, or an AMM liquidity collapse to be non-negligible.

Two things that might reconcile this:

1. Duration-graded LTV still lets near-maturity PTs loop at ~91%. The product works in the final 30 days. The constraint kicks in on fresh long-dated issuance.
2. The discount curve already prices duration into the asset — but not into the LTV parameter applied to the mark. A 365d PT at $0.85 and a 14d PT at $0.99 both get 91% LTV against their respective prices, which means the position’s liquidation buffer is the same fraction of current mark regardless of tenor. Duration is priced in one place (the mark) but not the other (the LTV), and that’s the gap.

If the conclusion is “lending protocols should accept that PT markets aren’t commercially viable at risk-calibrated parameters,” that’s a real argument. I’d just want it stated explicitly, because it’s a different claim than “the framework is wrong.”

Actually, PT has always used dynamic LTV. You can check the LTV setting for PT-susde-MAY in the proposal.

E-Mode Stablecoins USDe
LTV 87.2% 88.1%

However, they are currently 90% and 92% respectively, because they will change by time.

Hey! Appreciate the correction — you’re right that PT-sUSDe onboarding parameters already incorporate time-variable LTV via the oracle’s linear discount model. The 87.2% → 90% progression as maturity approaches is doing some of the duration-grading work I described.

That said, I’d note two things:

First, the direction of the ramp matters. The current mechanism loosens LTV as maturity approaches — which is directionally correct, since near-maturity PTs carry less duration risk. But the onboarding LTV of 87.2% for a fresh long-dated PT is still substantially above what the AST framework would prescribe for a T4-scoring asset (ineligible) or even a T3 asset at the framework cap (68% eMode). The dynamic adjustment is helpful but operates within a band that may itself be too high for the structural risk profile.

Second, the dynamic LTV is a function of the oracle’s discount model, not a governance-set parameter that explicitly accounts for structural factors like rehypothecation depth, regulatory posture, or liquidity fragility. Duration is one input to collateral risk — it’s not the only one. A PT could be near maturity and still carry elevated structural risk from its underlying layers.

So the mechanism exists, and it’s a good foundation — but the question remains whether the band it operates within is calibrated against the full risk surface, or just against the time-to-maturity dimension. The framework I’m proposing would constrain the ceiling of that band, not replace the dynamic adjustment within it.

Regardless, if PT follows your proposed framework, it’s simply not qualified for listing. However, it’s well-known that PT has indeed brought a huge TVL to AAVE. Preventing PT from listing might be safer, but it would also result in losing a very large TVL. This presents a huge opportunity for competitor Morpho. I strongly suggest accelerating the V4’s upper limit; Accelerate the transition to V4.the V4 hub framework can effectively address this issue.

I think we’re actually converging here more than it appears.

You’re making the honest version of the argument: PT at risk-calibrated parameters may not generate enough looped yield to justify listing, and delisting would hand TVL to Morpho. Don’t dispute that at all.

But notice what that argument actually concedes: the current parameters exist to serve a commercial outcome (TVL retention), not because the risk profile justifies them. That’s precisely the gap the framework is designed to surface (and also why there’s ongoing multi-layered asset contagion risk running rampant in DeFi that allows such exploits to exist). If the only way to keep a product viable is to set LTV above what the structural risk warrants, the protocol is subsidizing that product’s economics with its own solvency margin. The rsETH incident is what happens when that subsidy gets called.

On V4 — I’m fully aligned. Accelerating V4’s hub framework as the mechanism to properly scope and contain these risk profiles is exactly the right path. And critically, V4 hooks give us the implementation layer to automate this in practice — tier-based LTV ceilings, duration-graded adjustments, and ineligibility triggers can all be enforced programmatically rather than through manual governance proposals for every parameter change. That’s the difference between a framework that lives in a forum post and one that’s embedded in the protocol itself.

The AST framework isn’t proposing that PTs be banned from Aave permanently — it’s proposing that the parameters reflect reality, and that V4 be the vehicle for building the infrastructure that lets complex assets participate safely. The framework sets the ceiling; V4 builds the room underneath it; hooks enforce it autonomously.

That’s a stronger competitive position than a TVL race to the bottom on risk parameters. Morpho competes on capital efficiency — Aave should compete on risk infrastructure. The entity that embeds risk protection natively will survive (and grow) the longest. The one that doesn’t will die from either asset-based leverage exploits and/or regulatory scrutiny.

I would also suggest that Aave consider creating an independent L2BEAT-style public dashboard for collateral risk.

If Aave is going to rely on numerical risk scores to determine LTV caps and collateral eligibility, those scores should be publicly visible, continuously updated, and easy to compare across assets.

The dashboard could show each collateral asset’s score, the reasoning behind that score, and the specific areas where the asset can improve, such as oracle risk, liquidity depth, wrapper depth, redemption mechanisms, bridge dependencies, governance/admin controls, market concentration, and historical incidents.

This would bring several benefits:

1. Users and delegates could clearly understand why an asset receives a certain LTV or eligibility status.
2. Collateral issuers would have a clear roadmap for improving their score.
3. Projects would be incentivized to improve the quality of their collateral in order to qualify for better parameters over time.
4. Aave governance would become more transparent, comparable, and less reactive.

However, I believe this should be implemented as an independent public dashboard, not as new functionality added directly into Aave V3.

The dashboard should provide transparent scoring, analysis, and recommended parameter ranges, while actual parameter changes should still be executed manually through Aave governance. For example, governance could use the dashboard as a reference when deciding whether to adjust LTVs, liquidation thresholds, supply caps, borrow caps, or collateral eligibility.

At this stage, I do not think Aave V3 should be modified with additional on-chain functionality for this purpose. The framework should inform governance decisions, not automatically enforce them.

This approach would preserve governance oversight, avoid unnecessary smart contract complexity, and reduce the risk of turning a risk-management framework into another source of protocol risk.

In my view, Aave needs a collateral framework that is transparent, comparable, and continuously updated. An independent collateral risk dashboard could help turn risk management into an ongoing market discipline rather than a one-time governance discussion after each incident.

Completely agree with this. I have been playing around with what such a dashboard might look like here (long way to go - still seeing what’s possible and how to orient the data). We will need collateral credentials that leverage Aave v4 hooks to help automate lending pool freezes, etc., in case an asset is compromised (as that’s the only way to block these type of exploits), but that will take time.

What is the reason this isn’t possible?

It’s not necessarily impossible but very hard to pull of real time monitoring at such a deep technical level well enough to utilize v4 hooks and protect the ecosystem within a single block time (the time during which most exploits are executed).

It’s definitely something we should work toward!