Editor's Note: Chaos Labs has announced its decision to proactively end its risk management collaboration with Aave and is seeking early termination of this authorized relationship. As the core team that has provided risk pricing and management for all of Aave's V2 and V3 markets over the past three years, its departure comes at a critical juncture as Aave is advancing its V4 architectural restructuring and institutional expansion.

In the statement, Chaos Labs emphasized that this decision was not due to short-term budget disagreements but rather a fundamental divergence in the perception of "how risk should be managed." With the loss of core contributors, increasing system complexity, and the architectural rewrite brought by V4, the responsibilities and costs of risk management have significantly expanded, but resource allocation and priority setting have not been adjusted accordingly.

The article further points out that as DeFi gradually attracts institutional funds, the risk record itself has become the most critical "admission asset." When a protocol needs to simultaneously handle more complex system structures and higher compliance standards, risk is no longer just a technical issue but a foundational capability that determines its sustainable operation.

As DeFi enters its next phase, where should risk management be positioned, and is the industry willing to bear the corresponding costs?

Below is the original text:

Since November 2022, Chaos Labs has priced every loan initiated on Aave and managed the risks for all Aave V2 and V3 markets across various networks, during which no materially impactful bad debts occurred.

During this period, Aave's Total Value Locked (TVL) grew from $5.2 billion to over $26 billion, with cumulative deposits exceeding $2.5 trillion and over $2 billion in completed liquidations.

Today, we have decided to proactively end this authorized relationship and seek early termination of the collaboration.

This decision was not made hastily. We have always collaborated in good faith with DAO contributors, and Aave Labs has remained professional, even increasing the budget to $5 million to retain us. However, we chose to leave because this collaboration no longer aligns with our fundamental understanding of "how risk should be managed."

Although there are differences in future paths, I still believe Aave Labs is acting in what it perceives as the best interest of Aave.

Why We Chose to Leave

Over the past three years, we have stood with Aave through multiple market crises—moments that tested nearly every parameter we set and every machine learning model we built.

When we joined, the DAO's annualized net expenditure was negative $35 million; a few months ago, it peaked at $150 million. As one of the core contributors, we take pride in this journey.

People do not easily walk away from such an experience. Therefore, for the sake of transparency and as a reference for the DAO's future, we explain our reasons here.

Funding can solve many problems, but not all. The deeper issue lies in the structural divergence between the two parties on the fundamental question of "how to manage risk." As discussions about the future path continued, this divergence became increasingly clear.

Ultimately, the issue boils down to three points:

The departure of core Aave contributors has significantly increased the workload and operational risks;

The launch of V4 has expanded the scope of risk management functions, increasing operational and legal responsibilities, and its architecture was not designed by us, nor is it a design approach we would adopt;

Over the past three years, we have consistently operated Aave's risk management at a loss. Even with a $1 million budget increase, overall operations would still be in negative profit.

This leaves only two choices, neither of which we can accept:

Doing our best with insufficient resources but failing to meet the risk management standards expected of the "world's largest DeFi application";

Continuing to subsidize Aave's risk operations with our own funds, sustaining losses.

Even if the economic issues were resolved, the divergence in risk priorities and management approaches remains, and this cannot be solved simply by increasing the budget.

However, none of this changes our perspective on this work.

For Chaos Labs, contributing to Aave has always been an honor and a heavy responsibility. Our reputation is built on our track record. Every collaboration must be done to the standard it deserves, or not at all.

People, Technology, and Operational Experience

Aave is an excellent brand. Its leading position does not stem from the flashiest features or the most aggressive growth strategies.

What has long given Aave its advantage is its "reliability." Brand and market sentiment are essentially lagging reflections of its performance, security, and risk management capabilities—especially in extreme market conditions that have destroyed other participants. It is on this foundation that the consensus of "Just Use Aave" has gradually formed.

Competitors have launched more aggressive mechanisms and growth strategies, but they have collapsed one after another due to risk management failures or security vulnerabilities. In a market composed of the world's most volatile assets, "survivability" is the product itself. Those who can manage risk better and longer will prevail.

Aave's true innovation, however, lies in areas many protocols overlook: processes and infrastructure. The Risk Oracles we built and first launched on Aave enable the protocol to self-heal and update parameters in real-time based on dynamic and highly volatile market conditions. This infrastructure supports Aave's expansion to over 250 markets across 19 blockchains, handling hundreds of parameter updates monthly while maintaining rigorous operational standards, thus earning the trust it holds today.

This rigor stems from a specific collaboration system and execution stack: ACI handles growth and governance (@Marczeller), TokenLogic handles treasury management and growth (@Token_Logic), BGD handles protocol engineering (@bgdlabs), and Chaos Labs handles risk management.

The brand is what the outside world sees; what truly makes it worth seeing are the people, technology, and operational experience behind it.

GTM and Institutional Expansion

Our contributions extend far beyond risk management.

Over the past few years, the crypto industry has rapidly institutionalized. The world's largest financial institutions have begun accessing DeFi, but no matter how real the on-chain yields are, they are outweighed by one prerequisite: if institutions fear client funds could be at risk, none of this matters. For any regulated entity, all discussions begin and end with risk. A few extra basis points of yield are never worth risking principal. Institutions seek risk-adjusted returns, and they will not allocate funds to a protocol they cannot "clearly explain" to their compliance teams.

Precisely because of this, Aave's risk record has become its most important GTM asset. And we, as the builders of this record, have thus been able to directly engage with these institutions. At the request of Aave Labs, we took on this role, meeting with partners globally, producing research and due diligence materials, and personally participating in Aave's institutional expansion. We also hope the DAO will continue to benefit from these accumulated efforts in the coming months.

Ship of Theseus

If every plank of a ship is replaced, is it still the same ship? The name remains, the flag remains, but the foundation is already different.

Aave is now in such a state. The core contributors who built and operated V3 have left, and the operational experience that supported Aave through market cycles over the past three years has been lost with them.

We are the last remaining technical contributor from this group.

V3 remains the largest application in DeFi, requiring 7×24×365 risk management. Although Aave Labs is optimistic about a rapid migration to V4, history shows that such migrations often take months or even years. Until V4 fully assumes V3's markets and liquidity, both systems must run in parallel. The workload does not halve; it doubles.

More critical is operational experience. Even assuming different teams have equal capability, the experience accumulated over three years of continuous operation cannot be directly handed over.

How long will it take to bridge this gap? The answer is clearly not "zero." And until the gap is closed, someone must bear this cost—a responsibility that falls almost entirely on us, while the budget is already insufficient for the expanded scope.

The continuity of the brand is not equivalent to the continuity of the system.

Why V4 Is Different

V4 is a completely new lending protocol with entirely new smart contract code, system architecture, and design paradigms. Aside from the name, it bears little resemblance to Aave V3.

Architectural changes directly impact risk: more cross-market, cross-module interdependencies,全新的信用结构, and adjusted liquidation logic. And the "second-order risks" of any new protocol only gradually apparent after real funds enter the system.

Responsibly taking over this system means rebuilding infrastructure, toolchains, and simulation systems from the ground up and redoing the entire operational process on a codebase that has not yet been market-tested. This scope is far greater than V3, and this is at the core of our decision.

Risk is downstream of architecture. When the architecture undergoes fundamental changes, risk management itself must be重构. Unlike standardized services like price oracles or reserve proofs, the Risk Oracle and its supporting systems must be customized for the specific protocol architecture. Once the architecture is rewritten, the risk infrastructure must be rebuilt.

The problem is: the scope has significantly expanded, but resources have not increased accordingly. Aave Labs may be able to accept such a trade-off, but we cannot.

The Real Cost of This

We are walking away from a historically well-functioning, $5 million collaboration. For a startup, this is by no means a decision made lightly, and thus deserves fuller context.

Remuneration is only part of it; more importantly, it's a signal: how many resources an organization dedicates to risk reflects its priority on risk.

Simultaneously, I also believe that few truly understand the actual costs, real expenditures, and risks borne by such systems. Therefore, I hope to clarify this here.

It must be clear: the DAO has every right to decide what it values and how much it is willing to pay for it. I have no objection to that. My duty is merely to judge whether these conditions are suitable for us—and this time, they are not.

Comparing Aave to a Bank

Aave often compares itself to a bank, and we use this standard for perspective. Banks typically allocate 6%–10% of their revenue to compliance and risk infrastructure. In 2025, Aave's revenue was $142 million, and our budget was $3 million, accounting for about 2%.

We estimate that the minimum risk budget for V3 + V4 should be $8 million to cover the broader risk scope, additional infrastructure, and the GTM work we have already undertaken, accounting for about 5.6% of revenue, still below the lower bound for banks.

And this comparison might even be "generous." The openness of blockchain makes it more complex and asymmetric in terms of market risk and cybersecurity risk. The protocol's open-source transparency means the attack surface is equally visible to everyone. Recent series of attacks have proven this is not a theoretical risk. We believe DeFi should invest more in risk than traditional finance, not less.

Of course, Aave's scale has almost no comparable counterpart in DeFi; banks are just a reference point to understand how much institutions that "take risk seriously" typically invest. Whether a protocol "has the ability" to invest in risk and whether it "chooses to invest" are two different things.

For Aave, capability is not the issue: the DAO holds approximately $140 million in reserves, and Aave Labs just passed a $50 million self-funding proposal. But even if resources were scarce, the cost of risk management would not change. Budgets cannot reshape the threat structure—cost is cost.

Costs That Don't Appear in the Budget

Manpower and infrastructure are only explicit costs; there are also隐性成本 that are harder to quantify but must be borne.

First, legal and institutional risk. Engaging in risk management in DeFi (whether as a risk manager or treasury manager) faces undefined liability boundaries. There is no mature regulatory framework, no "safe harbor," and no clear legal definition of what responsibility risk managers should bear when a protocol fails. When the system functions normally, this work is "invisible"; once problems arise, the responsibility does not disappear.

Second, network and operational security. Providing risk services for a protocol managing tens of billions of dollars in assets itself becomes a target for attacks. The costs of audits, monitoring, infrastructure, and internal control systems rise in tandem with user deposit规模.

These costs are not unique to us. Any team taking on this role at this scale would face the same exposure. The question is whether the collaboration structure reflects this reality.

If the upside is limited and the downside risk is unlimited, then choosing to continue is not "having faith"; it is poor risk management.

Our Principles

At Chaos, we always adhere to a simple principle: we only put our name to work we fully stand behind.

When things go well, this principle is easy to uphold; what truly matters is when it comes at a cost. Today, that cost is $5 million.

I once wrote in "The Market Crypto Never Built" what institutional-grade risk management should look like. This decision is the embodiment of that belief in reality. If we advocate for higher standards in the industry, we must first hold ourselves to those standards.

I hope V4 will succeed. If it turns out our concerns were overestimated, that would be good for the entire industry.

To the Aave community: Thank you for the trust during this time; it has been our honor.