Original title: Chaos Labs Is Leaving Aave
Original author: Omer Goldberg
Compilation: Peggy, BlockBeats

Editor’s note: Chaos Labs announced that it would proactively end its risk-management partnership with Aave and seek an early termination of this licensing relationship. As the core team that, over the past three years, has provided risk pricing and management for all Aave V2 and V3 markets, its departure comes at a critical moment as Aave is moving forward with its V4 architecture restructuring and institutional expansion.

In its statement, Chaos Labs emphasized that this decision does not stem from a short-term budget disagreement, but from a mismatch in the parties’ understanding of the fundamental question of “how risk should be managed.” As core contributors leave, system complexity increases, and the architecture rewrite brought by V4 expands the scope of risk management responsibilities and costs significantly, resource investment and priority-setting have not been adjusted in tandem.

The article further points out that as DeFi gradually attracts institutional capital, risk records themselves have become the most critical “admission asset.” When a protocol needs to take on both a more complex system structure and higher compliance requirements, risk is no longer just a technical issue—it becomes the underlying capability that determines whether it can continue to function.

As DeFi enters the next stage, where exactly should risk management be positioned, and is the industry willing to bear the corresponding costs for it?

The following is the original text:

Since November 2022, Chaos Labs has priced every loan initiated on Aave and has been responsible for managing all risks across Aave V2 and V3 markets and their respective networks, with no bad debts that had any material impact.

During this period, Aave’s total value locked (TVL) increased from $5.2 billion to more than $26 billion, cumulative deposit size exceeded $2.5 trillion, and more than $2 billion in liquidations were completed.

Today, we have decided to proactively end this licensing relationship and seek to terminate our cooperation early.

This decision was not made in haste. We have always worked in good faith with DAO contributors, and Aave Labs has always remained professional. It even increased the budget to $5 million to retain us. However, we chose to leave because this partnership no longer aligns with our basic understanding of how risk should be managed.

Even though there are differences between the two parties on the future path, I still believe that Aave Labs is acting in the way it believes is most beneficial to Aave.

Why we chose to leave

Over the past three years, we have risen and fallen with Aave and gone through multiple market crises—moments that almost tested every parameter we set and every machine learning model we built.

When we joined, the DAO’s annualized net spend was -$35 million; a few months ago, its peak had reached $150 million. Throughout this process, as one of the core contributors, we truly felt proud.

People don’t easily give up an experience like this. Therefore, out of considerations for transparency, and so that it can serve as a reference for the DAO’s future, we explain the reasons here.

Funding can solve many problems, but not all of them. The deeper issue is that there are structural differences between the two sides on the fundamental question of “how to manage risk.” As more and more discussions take place about the future path, this discrepancy becomes ever clearer.

In the end, the problem boils down to three points:

The departure of core Aave contributors has significantly increased workloads and operational risks;

The launch of V4 expands the scope of risk-management functions, adds operational and legal responsibilities, and yet its architecture was not designed by us and is not the design approach we would adopt;

Over the past three years, we have consistently borne Aave’s risk-management work while operating at a loss. Even with a $1 million increase in budget, overall operations would still remain loss-making.

This means there are only two choices left—and we cannot accept either of them:

Do our best under insufficient resources, but fail to meet the risk-management standards that the “largest DeFi application in the world” should have;

Continue to subsidize Aave’s risk operations with our own funds, and keep bearing losses.

Even if the economic issue is resolved, the disagreement between the two parties regarding risk priorities and management methods still remains, and this is not something that can be solved simply by increasing the budget.

But none of this changes our view of this work.

For Chaos Labs, being able to contribute to Aave has always been an honor—and it also means a heavy responsibility. Our reputation comes from past track records. For every collaboration, either it is completed to the standards it should meet, or we don’t do it.

People, technology, and operational experience

Aave is an excellent brand. Its leading position does not come from the flashiest features or the most aggressive growth strategy.

What truly keeps Aave in a long-term position of advantage is its “reliability.” Brand and market sentiment are, in essence, lagging reflections of its performance, safety, and risk-management capability—especially in extreme market environments that destroy other participants. It is on this foundation that the consensus of “Just Use Aave” gradually formed.

Competitors rolled out more aggressive mechanisms and growth strategies, but one after another, they collapsed due to risk-management failures or security vulnerabilities. In a market composed of the world’s most volatile assets, “survivability” is itself the product. Whoever can manage risk better and for longer will win.

Aave’s true innovation, however, is found in areas many other protocols overlook: processes and infrastructure. The Risk Oracles we built and first deployed on Aave enable a protocol to self-heal and update parameters in real time based on dynamic and highly volatile market conditions. This infrastructure supports Aave’s expansion to more than 250 markets across 19 blockchains—processing hundreds of parameter updates every month while maintaining rigorous operational standards—thereby earning the trust it has today.

Over the past year, Chaos Labs has executed and continuously pushed more than 2,000 risk-parameter updates across Aave’s markets, covering both manual adjustments and automated Risk Oracle management mechanisms. This infrastructure allows Aave to expand to more than 250 markets across 19 blockchains while still enabling real-time risk management

The number of Aave risk-parameter updates carried out through human operators and Chaos Risk Oracles.

This rigor comes from a specific collaboration system and execution stack: ACI handles growth and governance (@Marczeller), TokenLogic handles capital management and growth (@Token_Logic), BGD handles protocol engineering (@bgdlabs), and Chaos Labs handles risk management.

Brand is only the part that the outside world can see; what truly makes it worth seeing is the people, technology, and operational experience behind it.

GTM and institutional expansion

Our contribution goes far beyond risk management.

In recent years, the crypto industry has rapidly moved toward institutionalization. The largest financial institutions in the world have started to access DeFi, but no matter how real the returns from “on-chain” might be, it cannot beat one prerequisite: if institutions worry that their clients’ funds could be damaged, then none of this matters. For any regulated entity, all discussions begin with risk and end with risk. An extra few basis points of return has never been worth taking on principal risk. Institutions pursue risk-adjusted returns, and they will not allocate funds to a protocol that their compliance team cannot “explain clearly.”

That is precisely why Aave’s risk track record has become its most important GTM asset. And we, as the builders of that record, are therefore able to talk directly with these institutions. At Aave Labs’ request, we took on this role—meeting partners globally, producing research and due-diligence materials, and personally participating in Aave’s institutional expansion. We also hope that the DAO can continue to benefit from these accumulations in the coming months.

Ship of Theseus

If every plank of a ship is replaced, is it still the same ship? The name stays the same, the flag stays the same, but the underlying reality is already different.

Aave is in a similar state now. Core contributors who built and operated V3 have left, along with the operational experience that supported Aave through market cycles over the past three years.

We are the last remaining technical contributor in this group.

V3 is still the largest application in DeFi by scale and requires 24/7/365 risk management. Although Aave Labs is optimistic about the rapid migration to V4, history shows that migrations like this often take months or even years. Until V4 fully takes over the markets and liquidity of V3, the two systems must run in parallel. The workload will not be cut in half—it will double.

More critically, it is operational experience. Even if we assume that different teams have equal capability, the experience accumulated from three years of continuous running cannot be directly transferred in handover.

How long does it take to close this gap? The answer is obviously not “zero.” And until the gap disappears, someone must bear that cost—and that responsibility falls almost entirely on us, especially since the budget is already insufficient even as the scope expands.

Continuing a brand does not equal continuing a system.

Why V4 is different

V4 is a brand-new lending protocol, with brand-new smart contract code, system architecture, and design paradigms. Aside from the name, it is almost nothing like Aave V3.

Changes at the architectural level directly affect risk: more cross-market and cross-module interdependencies, a new credit structure, and adjusted liquidation logic. Any “second-order risks” of a new protocol only gradually become apparent once real funds enter the system.

Taking over this framework responsibly means rebuilding infrastructure, toolchains, and simulation systems, and essentially doing a full operational run from 0 to 1 again on a codebase that has not yet been tested by markets. This scope is far greater than V3—and this is at the core of our decision.

Risk is downstream of architecture. When architecture changes fundamentally, risk management itself must be rebuilt accordingly. Unlike “standardized services” such as price oracles or proof-of-reserves, Risk Oracle and its supporting systems must be customized to the specific protocol architecture. Once the architecture is rewritten, the risk infrastructure must be rebuilt as well.

The problem is: the scope expands significantly, but resources are not increased in parallel. Aave Labs may be able to accept such a trade-off, but we cannot.

The real cost of this

What we are giving up is a collaboration that has worked well historically—$5 million. For a startup, this is by no means a casual decision, so it is also worth providing more thorough background.

Compensation is only part of it; more importantly, it sends a signal: how many resources an organization invests into risk reflects how it prioritizes risk.

At the same time, I also believe that very few people truly understand the actual costs of this kind of system, the real expenditures, and the risks being borne. Therefore, we hope to lay it all out clearly here.

It needs to be made clear that the DAO fully has the right to decide what it cares about and how much it is willing to pay for it. I have no objections to that. My responsibility is simply to judge whether these conditions are suitable for us—and this time, they are not.

Comparing Aave to a bank

Aave often compares itself to banks, and we use that standard as well. Banks typically allocate 6%–10% of their revenue to compliance and risk infrastructure. In 2025, Aave’s revenue was $142 million, while our budget was $3 million, accounting for about 2%.

We estimate that the minimum risk budget for V3 + V4 should be $8 million, to cover a broader risk scope, additional infrastructure, and the GTM work we have already taken on—about 5.6% of revenue—still below banks’ lower bound.

And this comparison may even be “generous.” The openness of blockchains makes them more complex and more asymmetric in terms of market risk and network security risk. Because protocols are open-source and transparent, the attack surface is visible to everyone. A recent series of attacks has already shown that this is not a theoretical risk. We believe DeFi should invest more in risk than traditional finance, not less.

Of course, Aave’s scale is almost incomparable within DeFi; banks are only a benchmark used to understand how much “serious organizations that take risk seriously” typically invest. Whether a protocol is “able” to invest in risk is one thing, and whether it “chooses” to invest is another.

For Aave, capability is not the issue: the DAO holds about $140 million in reserves, and Aave Labs has just passed a $50 million self-funded proposal. But even if resources are scarce, the cost of risk management does not change. Budgets cannot reshape the threat structure—cost is cost.

Costs that won’t show up in the budget

People and infrastructure are only the explicit costs. There are also some implicit costs that are harder to quantify, but must still be borne.

First, legal and institutional risk. In DeFi, doing risk management (whether you are a risk manager or a treasury manager) means dealing with responsibility boundaries that have not yet been clearly defined. Without a mature regulatory framework, no “safe harbor,” and no clear legal definition of what responsibility a risk manager should bear when a protocol fails, when the system is operating normally, these works are “invisible”; but once something goes wrong, responsibility does not disappear.

Second, network and operational security. Providing risk services for a protocol that manages hundreds of billions in assets makes the protocol itself a target for attacks. The costs of building audits, monitoring, infrastructure, and internal control systems rise in step with the size of users’ deposits.

These costs are not unique to us. Any team that takes on this role at this scale will face the same exposure. The question is whether this collaboration structure reflects that reality.

If upside returns are limited while downside risk is unlimited, choosing to continue is not “having convictions”—it is a bad approach to risk management.

Our principles

At Chaos, we always stick to a simple principle: to put our name only on work that we fully approve of.

When everything goes smoothly, it is easy to stick to this principle; what truly matters is when it requires paying a price. Today, that price is $5 million.

I wrote in “The Market Crypto Never Built” about what institutional-grade risk management should look like. This decision is a reflection of that belief in reality. If we argue that the industry needs higher standards, then we must first hold ourselves to those standards.

I hope V4 succeeds. If it turns out that our concerns were overstated, then it will be good news for the entire industry.

To the Aave community: Thank you for the trust over this period—it is our honor

[Original link]

Click to learn about BlockBeats recruiting for positions

Welcome to join the official BlockBeats community:

Telegram subscription group: https://t.me/theblockbeats

Telegram discussion group: https://t.me/BlockBeats_App

Twitter official account: https://twitter.com/BlockBeatsAsia