With three core team members "defecting" within two months, who will bail out Aave during the bear market?

深潮TechFlow
深潮TechFlow
  • Chaos Labs, the risk control team for DeFi's largest lending protocol Aave, voluntarily ends cooperation and leaves due to low budget (2% of revenue), increased workload (V4 upgrade), and undefined legal liability.
  • Following departures of core development team BGD Labs and governance service provider ACI, this raises concerns about Aave's risk management capabilities and stability.
  • Users may be unaware of these changes, with minimal short-term impact, but loss of experienced teams in a bear market increases long-term risks, especially during asset price volatility and higher liquidation frequency.
  • During Chaos Labs' tenure, no bad debt occurred, but lack of legal protection and higher risk demands in V4 upgrade pose uncertainties for new teams handling future incidents.
Summary

Author: Deep Tide TechFlow

The largest DeFi lending protocol is experiencing a quiet exodus of its security team.

Yesterday, a company called Chaos Labs issued a farewell letter announcing the termination of its partnership with Aave. Most users may not have heard of this company, but for the past three years, this company has been responsible for setting the collateral ratio, liquidation threshold, and risk parameters for every loan you made on Aave.

They also built an automated system called Risk Oracle, which can adjust parameters in real time according to market conditions. Aave used this system to expand from dozens of markets to more than 250 markets across 19 chains. In three years, they managed a pool of hundreds of billions of dollars with zero bad debts.

To put it simply, smart contracts run on Aave, but Chaos Labs is always in charge of ensuring the accuracy of the numbers entered in those contracts.

CEO Omer Goldberg's farewell letter was well-written, and the report card was detailed. TVL grew from $5.2 billion to over $26 billion, total deposits exceeded $2.5 trillion, and over $2 billion was liquidated...

He then said, "We proactively terminated the contract. Nobody fired them, and the contract hadn't expired." Meanwhile, Aave founder Stani Kulechov responded calmly, saying the agreement was functioning normally and another risk service provider, LlamaRisk, would take over.

It sounds like nothing happened.

However, the departure of a risk control team that had managed the platform for three years without any issues from the largest DeFi lending protocol is considered an ominous sign in traditional finance.

In his statement, Goldberg said the disagreement wasn't about money, but about a fundamental misunderstanding of risk management between the two sides.

Less money, more grievances

In an attempt to retain Chaos Labs, Aave Labs offered to increase Chaos Labs' annual budget from $3 million to $5 million. Chaos Labs still left.

Goldberg gave three reasons why he had to leave in his statement, but after reading them, you'll find that they all point to the same conclusion.

The first is money. Aave's total revenue in 2025 was $142 million, with a risk control budget of $3 million, accounting for 2%. Traditional banks typically spend 6% to 10% of their revenue on compliance and risk control.

Goldberg said they've been losing money on this for the past three years, even with the budget increased to $5 million, they're still operating at a loss. He believes a reasonable bottom line is $8 million. Aave has $140 million in its coffers, and Aave Labs just approved a $50 million funding proposal, so it seems the agreement isn't about lacking funds, but rather about not wanting to allocate that much to the security team.

The second is the need for dynamism. Aave is upgrading from V3 to V4, completely rewriting its underlying architecture, contracts, and liquidation logic. Goldberg said the only thing V4 and V3 have in common is their names. During the upgrade, the two systems will run in parallel, and the workload for risk control will not be halved, but doubled.

The third issue is responsibility. The legal responsibility of DeFi risk managers is currently completely undefined, lacking a regulatory framework and safe harbor provisions. When things are going well, you're invisible; when things go wrong, you're the first to be held accountable. As Goldberg stated, if the upside potential is minimal and the downside is bottomless, then continuing is itself a poor risk management decision.

I find this argument hard to refute. Imagine an agreement with an annual income of 140 million, giving a team managing the security of tens of billions of assets only 2% of their budget, and then telling them to double their workload, with no legal protection if anything goes wrong.

What would you do in my shoes?

Of course, the other side has a different story. Aave Labs founder Kulechov's response on X suggests that Chaos Labs has recently been scaling back its risk consulting business and has begun to reduce its collaborations with other agreements.

The implication is that the reasons given in the farewell letter were more like a way to give a respectable narrative for leaving.

Whether it was a clash of philosophies or a convenient excuse, outsiders can't judge. But one thing is certain: Chaos Labs wasn't the only one to leave.

A bear market is compounded by a sudden downpour.

Aave is still called Aave, but the people who built it have all left in the past two months.

In February of this year, BGD Labs, the core development team of Aave V3, announced that it would not renew its contract. This company was founded by Ernesto Boado, the former CTO of Aave, and was responsible for most of V3's code, governance system, and cross-chain deployment. After four years, they left when their contract expired.

BGD's reasoning is straightforward. Aave Labs is consolidating power in its own hands; the development of V4, brand assets, and social media accounts are all controlled by Aave Labs. BGD feels it has no right to participate in the design, yet it is responsible for the results. In a traditional company, this would be called being sidelined.

A month later, ACI, the most active service provider in Aave's governance system, also announced its departure. This eight-person team had driven 61% of Aave's governance proposals over three years. In his farewell letter, founder Marc Zeller put it bluntly: Aave Labs could use its own voting rights to pass its own budget, and independent service providers were no longer relevant in this system.

Two farewell letters in two months: one saying he was sidelined, the other saying the rules of the game were unfair.

Then another thing happened in March of this year.

A configuration error in Chaos Labs' risk control system led to the erroneous liquidation of approximately $27 million in positions, affecting at least 34 users. Chaos Labs stated that no bad debts were incurred and affected users will receive compensation.

Ultimately, no one was held legally responsible for this incident because there is no legal definition of who should bear responsibility in DeFi.

However, managing hundreds of billions of dollars means that a single misadjustment of a parameter could result in fluctuations of tens of millions of dollars, while your legal protection is practically zero. This is precisely the issue that the risk control team repeatedly emphasized in their farewell letter.

Thus, Aave in the V3 era operated on four pillars: development, governance, risk control, and financial growth. Now, the first three are gone.

The risk control team's farewell letter used the metaphor of the Ship of Theseus. If you replace every single plank of a ship, is it still the same ship?

The name Aave is still around, the contracts are still running, and the TVL is still rising. But the team that wrote the code is gone, the governance team is gone, and the risk control team is gone. Users continue to deposit and borrow money as usual, probably completely unaware that everything beneath the surface has been changed.

What's truly unsettling about this isn't who left, but that nothing happened after they left.

Users open the page, deposit money, borrow money, interest rates are normal, settlement is normal, everything seems normal. Unless someone specifically reads the governance forum, most users have no idea what has happened in the past two months.

In the short term, things might really be fine. Smart contracts won't stop working just because the risk control team leaves, and the pre-set parameters won't change on their own. Aave also has a risk service provider, LlamaRisk, so it's not completely unprotected.

But risk control is not a one-time project. Setting parameters correctly doesn't guarantee they'll always be suitable; markets change, assets change, and on-chain attack methods change. Who knows if the new team can react as quickly next time a similar incident occurs?

Besides, this is not a time for calm and tranquility.

AAVE's price has fallen by more than 70%, from a high of $356 last August to around $96 now. The entire DeFi lending sector is shrinking, on-chain activity is declining, and protocol revenue is under pressure.

During a bull market, risk control is invisible; no one applauds that "nothing went wrong today." It's during a bear market that risk control truly becomes necessary, because the dramatic fluctuations in asset prices, increased liquidation density, and higher probability of black swan events present the most challenging period for risk control teams, demanding the best in terms of experience and reaction speed.

Unfortunately, at this stage, the most experienced group of people left.

In their farewell letter, the risk control team made a statement that I think is very accurate. Aave's success against its more aggressive competitors wasn't due to its numerous features, but because while others failed, Aave didn't. In this market, survival depends on the product.

The problem now is that the people who kept it alive may no longer be around.

Share to:

Author: 深潮TechFlow

Opinions belong to the column author and do not represent PANews.

This content is not investment advice.

Image source: 深潮TechFlow. If there is any infringement, please contact the author for removal.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
Biteye

Biteye

Biteye and PANews jointly released AI Layer1 research report: Finding fertile ground for DeAI on the chain
PA日报

PA日报

PA Daily | Hemi mainnet will be launched on March 12; Binance CEO said the current market adjustment is a tactical retracement rather than a trend reversal
PA一线

PA一线

Important information from last night and this morning (February 25-February 26)
Odaily星球日报

Odaily星球日报

AAVE price hits new high again? Chainlink could help generate tens of millions of dollars in revenue per year
Techub News

Techub News

Behind the dispute between Polygon and Aave: only competition, no symbiosis?
王尔玉

王尔玉

Aave被严重低估?为什么它是DeFi和链上经济的核心支柱

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe
PANews App
24/7 blockchain news tracking and in-depth analysis.
Download PANews App
App StoreGoogle Play
PANews APP
A network linked to Iran's Revolutionary Guard handled over $178 million in illicit funds related to Houthi oil in a single year.
PANews Newsflash