[TEMP CHECK] Post-rsETH Collateral Framework: Tier-Based LTV Reductions and Wrap-Depth Ineligibility Limits

Author: Robby Greenfield IV | Tokédex

Tags: @LlamaRisk @AaveLabs @stani @MarcZeller @ACI

Summary

The rsETH incident is not a Kelp problem or a LayerZero problem. It is an Aave collateral-listing problem. Aave’s own service providers have confirmed the protocol faces between $123.7M and $230.1M in bad debt on $221.39M of attacker-posted collateral (LlamaRisk/Aave Incident Report, April 20, 2026). Every one of those dollars sat behind a 93% LTV / 95% LT eMode configuration (Proposal 311) granted to a token that, by the time it reached our markets, had been wrapped four times: ETH or LST → Kelp rsETH (EigenLayer-restaked) → LayerZero OFT → wrsETH (L2 copy). The final wrap held the risk that broke the asset, and we underwrote it at the same LTV as a vanilla LST.

“A bridged liquid restaking token and native ETH should never receive the same LTV. The seven-factor score makes this mathematically impossible.” - Anyone Sensible

I am proposing an Aave-specific operationalization of a retrospective framework I developed simply referred to as the “Asset Safety Tier.” The ask is narrow and surgical:

1. Classify existing collateral by a seven-factor tier score (five structural factors + two market factors)

2. Apply interim 5–15 point LTV reductions on Tier 3 assets as a staged path toward the framework’s T3 ceiling

3. Make assets scoring in the Tier 4 band (total score ≥ 10) ineligible as collateral — meaning collateral eligibility is permanently revoked while existing aToken holders retain the ability to exit

No nuclear cuts. No forced liquidations of existing positions. Just a credible, deterministic ceiling on how many wrappers Aave is willing to underwrite, and a clean revocation pathway for assets that cross it.

Why this, why now

The status quo failed a stress test we authored ourselves. Service providers listed rsETH on Ethereum Core and Ethereum Prime and its bridged form wrsETH on nine L2 instances (Arbitrum, Avalanche, Base, Ink, Linea, Mantle, MegaETH, Plasma, zkSync) — 11 deployments in total (LlamaRisk report). They put rsETH in eMode at 93% LTV / 95% LT (Proposal 311) and raised supply caps enough for 89,567 stolen rsETH ($221.39M) to settle in single-digit minutes across seven attacker addresses at Health Factors of 1.01–1.03 (LlamaRisk report).

The attacker borrowed 82,650 WETH ($190.86M) and 821 wstETH ($2.33M) directly from Aave (LlamaRisk report). Third-party on-chain reconstruction puts cross-protocol borrowing (Aave + Compound + Euler) in the $200–236M range (DeFi Prime analysis), though only the ~$193M Aave component is primary-source documented.

The blast radius:

• Aave TVL fell from $26.4B to $17.95B in 48 hours — a $8.45B drop (CoinDesk, April 20, 2026)

• Total DeFi TVL fell $13.21B (CoinDesk)

• AAVE token fell 16% within 24 hours of the exploit (CoinDesk, April 19)

• The Umbrella WETH module held only 23,507.63 WETH (~$54.06M) against up to $91.8M in Scenario 1 bad debt on Ethereum Core alone, and 18,922 of 23,507 aWETH (80%) had entered the unstaking cooldown by the time the incident report was published (LlamaRisk report)

• The DAO treasury holds $181M total ($62M ETH-correlated, $54M AAVE, $52M stablecoins); 2025 revenue was $145M; 2026 YTD revenue is $38M (LlamaRisk report)

Under the 7-factor scoring below, wrsETH on L2 scores 12 of 14 — Tier 4, ineligible. It was listed at 93% LTV. The gap between that score and that LTV was the protocol’s margin of catastrophic error, and it is now a line on the Umbrella module’s balance sheet.

This was foreseeable at the listing stage. The bridge-hack base rate is not ambiguous. Summing just the six marquee failures — Ronin ~$600M, Wormhole ~$325M, BNB Chain Bridge ~$570M attempted / ~$100M net realized, Nomad ~$190M, Harmony Horizon ~$100M, Multichain ~$130M — yields ~$1.9B in cross-chain bridge losses across 2022–2023 alone. Comprehensive industry totals for 2022 alone exceed $2B (Chainalysis 2022 Crypto Crime Report summary). Aave was the lender of last resort for an asset whose fourth wrapper inherited that exact failure surface.

Precedent exists for acting decisively. In August 2023, Proposal 286 set CRV LTV → 0 on Aave v2 Ethereum with 100% ‘Yes’ votes (CoinDesk, Aug 2, 2023; Crypto Times). The exact rationale Gauntlet cited — impeding further borrowing against a collateral type whose risk profile had materially shifted — applies verbatim here.

The TradFi precedent is older and larger. Singh (IMF WP 11/256, 2011) documents that post-Lehman, the reduction in source collateral combined with collapse in its velocity “may have been a $4–5 trillion reduction in collateral” when rehypothecation chains broke (IMF Working Paper 11/256). Notably, the U.S. caps rehypothecation at 140% of a client’s net debit balance under SEC Rule 15c3-3 / Reg T; the UK historically has no such cap (Singh & Aitken, IMF WP 10/172; ICMA summary). DeFi has no cap at all. That is the problem this proposal addresses.

F25 Tier Scoring — Seven Factors, Aave-Applied

Each factor scores 0 (safest), 1 (moderate), or 2 (highest risk). The score is the unweighted sum (0–14). Factors are independent failure vectors; they do not offset each other.

Structural factors (1–5) capture architecture risk that does not change with market conditions — these are immutable properties of the asset’s construction.

1. Redemption posture — 0: instant at par / 1: queued with delays / 2: uncertain or bridge-gated

2. Rehypothecation depth — 0: ≤1 wrapping layer / 1: 2–3 layers / 2: ≥4 layers

3. Bridge hops in provenance — 0: native L1 issuance / 1: one hop / 2: two or more

4. Regulatory posture — 0: MiCA / NYDFS / MAS or equivalent / 1: light-touch regime / 2: none

5. Oracle fragility — 0: Chainlink + CAPO / 1: single provider / 2: internal exchange rate

Market factors (6–7) capture what Chaos Labs, Gauntlet, and MakerDAO’s risk frameworks all identify as the primary LTV calibration drivers. Omitting them produces tiers that are structurally correct but practically wrong.

6. Volatility (90d annualized) — 0: <50% / 1: 50–100% / 2: >100% (source: CoinGecko; stablecoins default to 0, ETH-correlated assets to 1)

7. Liquidity depth (DEX reserves) — 0: >$500M / 1: $50–500M / 2: <$50M (source: GeckoTerminal). MakerDAO explicitly sizes debt ceilings to liquidation liquidity — Aave has no such mechanism today.

Sum → tier. Tier 1: 0–3. Tier 2: 4–6. Tier 3: 7–9. Tier 4: 10+.

Why multiplicative risk matters (Factor 2)

Each wrapping layer adds an independent failure vector. If each layer carries 2% annual failure probability, three layers produce combined failure probability of 1 − (0.98³) ≈ 5.88% — roughly triple the per-layer rate. Good backing does not reduce the number of things that can break; it only reduces the probability of any single failure. This is why rehypothecation depth earns its own factor alongside custody quality, not as a substitute for it.

Applied to current Aave v3 collateral

The rsETH / wrsETH split matters: the L1 native token scores at the upper bound of T3 (9/14), while the L2 bridged form adds bridge-hop risk and escalates to T4 (12/14). This is the core problem the framework surfaces — two tokens sharing a name and an issuer can sit in different tiers because wrapping and bridging add independent failure vectors.

Source chains (publicly documented by issuers):

• weETH: ETH → eETH (rebasing LRT) → weETH (non-rebasing wrapper, EigenLayer-coupled) (EtherFi docs)

• rsETH: ETH or LST (stETH/sfrxETH/ETHx) → Kelp rsETH (EigenLayer-restaked) → LayerZero OFT → wrsETH on L2 (LlamaRisk report confirms OFT architecture)

• ezETH: ETH/LST → ezETH → optional L2 wrap

• sUSDe: USD/stablecoin → USDe (delta-neutral basis) → sUSDe

Tier caps the framework prescribes

Proposed Parameter Changes — Interim, Moving Toward Framework Caps

The surgical path below does not bring Tier 3 assets to the framework’s 68% E-Mode cap in one step. It moves them partway and commits to a review cycle. This is calibrated for governance stability, not analytical purity — the framework target stands as the eventual ceiling.

Arithmetic behind the interim cut: Max theoretical leverage from looping = 1/(1−LTV). At LTV 93%, that’s ~14.3x; cutting LTV to 83% drops max theoretical leverage to ~5.9x — a ~58% reduction in loop capacity. Peak borrow-against-collateral drops from $0.93 to $0.83 per $1, expanding the unborrowed buffer from 7¢ to 17¢ (2.4× buffer increase). The framework’s T3 cap of 68% would take this further: max leverage 3.13x, buffer 32¢. The interim cut closes roughly 40% of the gap between current and framework in the first governance cycle. (For context: Proposal 311 cites a Prime HF-1.01 leverage of 22.44x at the 96.50% LT — Proposal 311.)

This is calibrated against the 15.12% Scenario 1 depeg that the incident report models (LlamaRisk report) and well above the current Umbrella coverage-to-exposure ratio of roughly 59% ($54.06M / $91.8M on Ethereum Core).

TVL Impact — Quantified, Defended

Per the ACI ecosystem-contribution retrospective published via ChainCatcher in April 2026 (source):

• weETH holders drive 57.9% of all WETH borrowings, $3.27B in WETH debt, $18.9M/year in reserve factor income

• All ACI-introduced LRTs together drive 75.1% of total WETH debt and $24.4M/year in reserve factor income

• WETH is the single largest revenue-generating asset on Aave, with 2025 revenue of $37M (28% of total protocol revenue)

• ACI has drafted over 35 governance proposals related to LRT onboarding and eMode configuration

• WETH is 39.49% of all loans on Aave; Aave’s total outstanding borrows are $17.82B with $14.24B on Ethereum (CoinDesk)

Derived impact envelope (this is my synthesis, labeled as such):

• wrsETH eligibility revocation across 9 L2 instances + rsETH continued freeze on Ethereum Core/Prime (already non-collateral in economic reality): no incremental TVL impact beyond what the existing freezes already enforce

• Interim LTV cuts on weETH + ezETH + sUSDe: a 10-point LTV cut reduces max loop leverage by ~58%. Applied to the $24.4M/year of LRT-driven reserve-factor income (ACI retrospective, ~17% of the DAO’s $145M 2025 revenue), this implies a 30–60% haircut on LRT revenue, or ~5–10% of total protocol revenue at the interim step, and ~10–15% at the framework cap.

• Total plausible revenue impact at interim: ~$7–15M/year against 2025 revenue of $145M

Against that:

• One incident has destroyed $8.45B in TVL in 48 hours (CoinDesk)

• Produced $123.7M–$230.1M in bad debt (LlamaRisk report)

• Forced an active forum debate about whether to slash Umbrella stakers on an asset class the DAO did not fully underwrite with eyes open

A 5–10% revenue haircut to permanently close this failure mode is the cheapest insurance Aave will ever buy. Singh’s IMF work is the cautionary tale: when rehypothecation chains break in TradFi, total system collateral contraction is multiples of the headline loss. We just watched a DeFi-scale version of that dynamic in real time.

Why Tier 4 Is Ineligible Specifically

Tier 4 begins at a score of 10. To reach 10 on a 14-point scale, an asset must pile failure vectors across at least five of the seven factors — it is structurally impossible to score 10+ on a genuinely safe asset. wrsETH scored 12 because it fails on redemption (bridge-gated), bridge hops (L2 via OFT), regulatory posture (none), oracle (internal exchange rate), and liquidity depth (thin DEX), with one additional point each for rehypothecation depth and volatility. Any one of those failures would be a risk. Five of them compounding in one asset is a listing error.

The asset was not broken because ETH restaking is broken, and not because Kelp’s accounting is broken. It was broken because the fourth wrapper — the LayerZero OFT adapter — was configured as 1-of-1 DVN and could be forged with a single inbound packet, releasing 116,500 rsETH from the Ethereum-side adapter (balance dropped from 116,723 to 223 rsETH in one block) (LlamaRisk report).

Every wrap is a new trust assumption. By the time a token lives on an L2 through a bridge, there is also legal ambiguity about whether L1 and L2 holders share a pari passu claim — a question Aave is currently litigating in real time on the very forum this post appears on. Forum user gadget noted on April 20 that “All rsETH holders have equal redemption rights (pari passu), as per both the Issuer’s and the Service Provider’s documentation and statements prior to the incident. Preferential treatment of L1 holders over L2 holders would violate these rights” (Aave forum, April 20, 2026).

Aave cannot practically audit the DVN configurations, redemption mechanics, and legal terms of every bridge adapter underlying every LRT on every chain we deploy on. What we can do is declare a ceiling: the seven-factor score must stay below 10.

LlamaRisk’s own Liquid eMode research already endorses this direction, noting that Aave v3.2 allows “Soft Onboarding of new assets, offering more flexibility in isolation. For instance, ezETH can be introduced with 0 LTV and 0 LT in regular mode, ensuring it does not affect overall protocol risk” (LlamaRisk research). Extend that conservatism to Tier 4 assets permanently.

What I Am Asking For Specifically

@LlamaRisk — Given Chaos Labs’ departure on April 6, 2026 (CoinDesk), you are now the primary risk provider. I’d love to work with you to publish the following within 14 days:

1. a tier classification of every current Aave v3 collateral asset under the 7-factor schema above — or an equivalent of your own design that explicitly includes structural and market factors
2. a proposed mapping to LTV/LT deltas consistent with those tiers, and
3. explicit criteria under which an asset becomes ineligible.

Your Liquid eMode research already concedes that soft onboarding with 0 LTV and 0 LT is correct for uncorrelated assets; extend that reasoning to assets scoring in the Tier 4 band.

@AaveLabs / @stani — Aave’s public statement that the rsETH markets have been frozen because “Aave’s contracts have not been exploited and this is an exploit related to rsETH” (Aave X announcement, April 2026) is technically accurate but structurally insufficient. The exploit happened outside Aave; the listing decision, the 93% LTV, and the 11-chain deployment happened inside Aave. Please commit publicly to a deterministic, multi-factor collateral-tier framework — of the kind every professional risk manager uses — as part of the V4 rollout, before any additional LRT or bridged-LRT listings.

@MarcZeller / @ACI — Your retrospective documents that ACI has drafted over 35 governance proposals introducing LRTs to Aave, and that those LRTs generate $24.4M/year in reserve factor income representing 75.1% of total WETH debt (ChainCatcher). That is the revenue base that should be defended — not torched, but priced correctly. A 10-point interim LTV cut on weETH is a rounding error against the Scenario 2 bad debt range of $230.1M. Publicly co-sponsor this framework or publish the counter-framework.

What This Is Not

This is not a proposal to delist weETH, ezETH, or sUSDe. It is not a proposal to zero LTVs or shut down LRT looping. It is not a pause on V4. It is not a referendum on Aave Labs, Chaos Labs’ departure, or any adjacent governance dispute.

It is a proposal that Aave adopt a deterministic, seven-factor asset safety framework — covering structure, regulation, oracles, volatility, and liquidity — and stop accepting collateral that scores in the Tier 4 band. Everything downstream of that — the LTV deltas, the Tier 3 treatment, the revenue implications — is arithmetic.

I would love to help bring this to the community in any way it sees fit, and have several proposals on how Aave can do due diligence on assets in real time on the basis of its collateral.

The rsETH incident has handed Aave governance a free lesson it would have otherwise paid several hundred million dollars to learn. Let’s not waste it.

-– Robby Greenfield IV | Tokédex

Sources Cited (in order of appearance)

1. LlamaRisk / Aave service providers, rsETH Incident Report (April 20, 2026): https://governance.aave.com/t/rseth-incident-report-april-20-2026/24580

2. Aave Governance Proposal 311 (rsETH/wstETH eMode): https://vote.onaave.com/proposal/?proposalId=311

3. DeFi Prime, “The KelpDAO rsETH Exploit: $292M Minted From a 1-of-1 Bridge”: https://defiprime.com/kelpdao-rseth-exploit

4. CoinDesk, “The $13 billion DeFi wipeout” (April 20, 2026): https://www.coindesk.com/markets/2026/04/20/defi-tvl-drops-more-than-usd13-billion-in-two-days-following-kelp-dao-hack

5. CoinDesk, “Aave records $6 billion TVL drop” (April 19, 2026): https://www.coindesk.com/tech/2026/04/19/aave-records-usd6-billion-tvl-drop-as-kelp-hack-exposes-structural-risk-at-defi-lender

6. Chainalysis, cross-chain bridge hacks 2022 summary: https://www.chainalysis.com/blog/cross-chain-bridge-hacks-2022/

7. CoinDesk, “Aave Should Block Curve Token Borrowing” (Aug 2, 2023): https://www.coindesk.com/tech/2023/08/02/aave-should-block-curve-token-borrowing-risk-management-firm-proposes

8. Crypto Times, “Aave’s CRV Borrowing Ban Passes with 100% Community Support”: https://www.cryptotimes.io/aaves-crv-borrowing-ban-passes-with-100-community-support/

9. Singh, M. (2011), “Velocity of Pledged Collateral: Analysis and Implications,” IMF Working Paper 11/256: https://www.imf.org/en/Publications/WP/Issues/2016/12/31/Velocity-of-Pledged-Collateral-Analysis-and-Implications-25332

10. Singh, M. & Aitken, J. (2010), “The (Sizable) Role of Rehypothecation in the Shadow Banking System,” IMF Working Paper 10/172: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1653186

11. ICMA, “What is rehypothecation of collateral?”: https://www.icmagroup.org/market-practice-and-regulatory-policy/repo-and-collateral-markets/icma-ercc-publications/frequently-asked-questions-on-repo/10-what-is-rehypothecation-of-collateral/

12. EtherFi FAQ documentation: https://etherfi.gitbook.io/etherfi/getting-started/faq

13. ChainCatcher / ACI ecosystem-contribution retrospective (April 2026): https://www.chaincatcher.com/en/article/2248017

14. CoinDesk, “Aave loses key risk manager Chaos Labs” (April 6, 2026): https://www.coindesk.com/tech/2026/04/06/aave-loses-key-risk-manager-chaos-labs-amid-contributor-exodus-and-disputes

15. Invezz, “Aave price turns bullish as team moves to contain the KelpDAO exploit” (citing Aave X statement, April 20, 2026): https://invezz.com/news/2026/04/20/aave-price-turns-bullish-as-team-moves-to-contain-the-kelpdao-exploit/

16. LlamaRisk, “Understanding Aave v3.2’s Liquid e-Mode”: https://research.llamarisk.com/research/understanding-aave-v3-2-s-liquid-e-mode-a-deep-dive-into-enhanced-capital-efficiency

what about PT-susde

T3 or T4?

This is an excellent question - and one that admittedly has motivated an iteration to the framework. I’ll explain why:

When I applied the Asset Safety Tier (AST) v1.0 to Pendle’s PT-sUSDe, the framework correctly identified the asset as T4 (ineligible under standard parameters) based on redemption posture, rehypothecation depth, oracle fragility, and liquidity constraints.

But the exercise exposed a structural blind spot (which you may be hinting toward): v1.0 scored a 14-day PT and a 365-day PT identically, because none of its seven factors captured time-to-maturity as a risk dimension. For spot-like collateral this was never a problem — ETH, stETH, and USDC don’t have expiration dates. For time-bound instruments like Pendle PTs, now representing over $500M in lending-protocol collateral, duration-blindness meant the framework ignored the single variable TradFi fixed-income desks have priced since Macaulay formalized duration risk in 1938. AST v2.0 resolves this by adding Factor 8 (Time-to-Maturity Risk Window), scored 0 for all non-time-bound assets. Every v1.0 tier assignment is preserved by construction; the framework now distinguishes a near-maturity PT from a long-dated one without disturbing settled scores.

Scores (0 = safest, 2 = highest risk):

Total: 10–12 of 16, depending on maturity (i.e., it’s ineligible).

The point I want to raise: duration isn’t being priced. A 14-day PT-sUSDe and a 365-day PT-sUSDe have identical structural factors but very different exposure windows. Liquidators holding a near-maturity PT can wait out stress; liquidators holding a 12-month PT cannot. TradFi fixed-income desks have priced this since Macaulay (1938). The current LTV of 91% applies uniformly across the tenor curve, which seems incorrect.

Operationally, this would mean: LTV rotates automatically as maturity approaches, without governance overhead. A 365-day PT onboarded with a 50% LTV and supply cap would loosen toward its terminal parameters over the 12 months — mechanically, continuously. The Pendle SDK and subgraph already expose maturity_timestamp, so the oracle adapter has what it needs.

What Aave is already doing right: isolation mode, supply caps, the custom PT oracle with discount-curve logic, and the aggressive reduction from the May 2025 peak. None of that is in dispute.

What might be worth considering: a duration-graded LTV curve rather than a flat parameter. Happy to share the full framework writeup if useful — it’s general, covers the existing Aave collateral list, and preserves backward compatibility with current T1/T2/T3 assignments (ETH, wstETH, cbETH, etc. scores don’t change).

Not proposing a delisting. Proposing that the parameter surface gets a time axis, it currently lacks.

You are wrong about PTs not being able to be redeemed immediately at par. Throughout the PT’s lifespan, users can redeem the underlying asset using the exit function, exiting the position from 1 PT and 1 YT token to the original asset. These token’s value might fluctuate from the time they are accquired but there is a way to redeem the underlying asset, not through a liquidity pool, immediately.