Who Will Shoulder the Next Black Swan Event in the Bear Market After Aave—the Largest DeFi Protocol—Loses Its Security Team?
TechFlow Selected TechFlow Selected
Who Will Shoulder the Next Black Swan Event in the Bear Market After Aave—the Largest DeFi Protocol—Loses Its Security Team?
Risk control is truly needed during bear markets.
Navigating Web3 tides with focused insightsAuthor: TechFlow
The largest DeFi lending protocol is undergoing a silent exodus of its security team.
Yesterday, a company called Chaos Labs sent out a farewell letter announcing the termination of its collaboration with Aave. Most users may not have heard of this name—but over the past three years, every single loan and collateral ratio, liquidation threshold, and risk parameter on Aave was defined by this firm.
They also built an automated system called the Risk Oracle, capable of dynamically adjusting parameters in real time with market conditions. Relying on this system, Aave expanded from dozens of markets to over 250 markets across 19 blockchains. For three years, they managed hundreds of billions of dollars in liquidity pools—without a single bad debt.
In short: while smart contracts power Aave, it was Chaos Labs that determined the numbers embedded within those contracts.
CEO Omer Goldberg’s farewell letter was gracefully worded, and his performance summary was detailed: Total Value Locked (TVL) grew from $5.2 billion to over $26 billion; cumulative deposits exceeded $2.5 trillion; liquidations surpassed $2 billion...
Then he stated: “We proactively proposed terminating the contract.” No one fired them, and the contract hadn’t yet expired. Meanwhile, Aave founder Stani Kulechov responded calmly, saying the protocol continues operating normally—and another risk service provider, LlamaRisk, will assume responsibility.
It sounds like nothing happened at all.
Yet when a risk management team that operated flawlessly for three years voluntarily departs the largest DeFi lending protocol, such an event would be considered an ill omen in traditional finance.
Goldberg noted in his statement that the disagreement wasn’t about money—but rather a fundamental misalignment in risk management philosophy between the two parties.
Less Money, More Frustration
To retain Chaos Labs, Aave Labs offered to raise their annual budget from $3 million to $5 million. Chaos Labs still left.
Goldberg cited three non-negotiable reasons for departure—but reading through them reveals they all point to the same conclusion.
The first is money. Aave generated $142 million in revenue in 2025, allocating only $3 million—just 2%—to risk management. Traditional banks typically spend 6%–10% of revenue on compliance and risk control.
Goldberg said the team had been operating at a loss for the past three years—even with the budget increase to $5 million, profitability remains negative. He believes a reasonable floor would be $8 million. Aave’s treasury holds $140 million, and Aave Labs recently approved a $50 million funding proposal for itself—suggesting the protocol isn’t cash-strapped, but simply unwilling to allocate that much to its security team.
The second is workload. Aave is upgrading from V3 to V4, rewriting its underlying architecture, smart contracts, and liquidation logic entirely. Goldberg remarked that V4 and V3 share only one thing—their name. During the transition, both systems must run in parallel, meaning risk management workload doesn’t halve—it doubles.
The third is liability. Legal accountability for DeFi risk managers remains entirely undefined: there is no regulatory framework, no safe harbor provisions. When things go well, you’re invisible; when something breaks, you’re the first person held accountable. As Goldberg put it directly: “If the upside is marginal profit while the downside carries unlimited liability, continuing to operate under these conditions is itself a poor risk management decision.”
This argument is hard to refute. A protocol generating $140 million annually allocates just 2% of its revenue to safeguarding hundreds of billions in assets—while demanding double the workload and offering zero legal protection if things go wrong.
Would you stay?
Naturally, the other side tells a different story. In his X post, Aave Labs founder Kulechov implied that Chaos Labs had already begun scaling back its risk consulting services, reducing engagements with other protocols.
The implication is clear: the stated reasons in the farewell letter may serve more as a dignified narrative for departure than objective truth.
Whether the split reflects genuine philosophical divergence—or simply a convenient exit—is impossible for outsiders to judge. But one fact is certain: Chaos Labs isn’t the only one leaving.
A Bear Market Compounded by Misfortune
Aave still bears the same name—but the people who built it have largely departed over the past two months.
In February this year, BGD Labs—the core development team behind Aave V3—announced it would not renew its contract. Founded by former Aave CTO Ernesto Boado, BGD authored nearly all of V3’s codebase, governance system, and cross-chain deployment. After four years, their contract simply expired—and they walked away.
BGD’s rationale was straightforward: Aave Labs has been centralizing authority—V4 development, brand assets, and social media accounts are now fully controlled by Aave Labs. BGD felt it retained no design input, yet remained liable for outcomes—a classic case of being “sidelined” in traditional corporate terms.
A month later, ACI—the most active service provider in Aave’s governance ecosystem—also announced its departure. This eight-person team drove 61% of Aave’s governance proposals over three years. Founder Marc Zeller wrote bluntly in his farewell letter: Aave Labs can unilaterally approve its own budget using its voting power, rendering independent service providers functionally irrelevant within the current governance structure.
Two farewell letters in two months—one citing sidelining, the other citing unfair rules.
Then, in March this year, another incident occurred.
A configuration error in the risk management system built by Chaos Labs triggered erroneous liquidations totaling approximately $27 million, affecting at least 34 users. Chaos Labs confirmed no bad debt occurred, and impacted users will receive compensation.
Ultimately, no party bore legal liability—because DeFi lacks any legal framework defining accountability.
Yet managing hundreds of billions in assets means a single misconfigured parameter can swing tens of millions in value—while your legal protections remain nonexistent. This precise issue was repeatedly emphasized in the risk team’s farewell letter.
Thus, Aave’s V3-era operations rested on four pillars: development, governance, risk management, and financial growth. Now, the first three have collapsed.
The risk team’s farewell letter includes a metaphor: the Ship of Theseus. If every plank on a ship is replaced, is it still the same ship?
The Aave name remains. Its smart contracts continue running. Its TVL keeps rising. Yet the team writing its code has left. The team overseeing governance has left. The team managing risk has left. Users continue depositing and borrowing—most likely unaware that everything beneath the surface has been completely replaced.
What truly unsettles people isn’t merely who left—but that nothing seemed to happen after they did.
Users open the interface, deposit funds, borrow assets, see normal interest rates and liquidations—everything appears unchanged. Unless someone actively reads the governance forum, most users won’t even know what transpired over the past two months.
In the short term, perhaps nothing actually changes. Smart contracts won’t halt because the risk team departs; pre-configured parameters won’t spontaneously shift. And Aave still has LlamaRisk—a backup risk service provider—so it’s not entirely exposed.
But risk management isn’t a one-time engineering task. Parameters don’t remain optimal forever—markets evolve, assets change, and on-chain attack vectors constantly adapt. Whether the new team can respond as swiftly next time remains unknown.
Moreover, this isn’t happening during calm waters.
AAVE’s token price has plunged over 70%, falling from its August 2023 high of $356 to around $96 today. The entire DeFi lending sector is contracting, on-chain activity is declining, and protocol revenues are under pressure.
In bull markets, risk management stays invisible—no one applauds for “another day without incident.” In bear markets, however, risk management becomes indispensable: volatile asset prices, heightened liquidation frequency, and increased black swan probability collectively test a team’s experience and responsiveness like never before.
And precisely at this moment, the most experienced practitioners have departed.
The risk team’s farewell letter included one sentence the author finds especially incisive: “Aave succeeded against more aggressive competitors—not because it offered more features, but because others blew up while Aave didn’t. In this market, survival *is* the product.”
The question now is: have the people who ensured that survival already left?
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
深潮TechFlow
