DeFi's largest protocol, Aave's security team, has left. Who will withstand the next black swan event in the bear market?

In a bear market, risk management is needed for real.

Author: Deep Tide TechFlow

The biggest DeFi lending protocol is going through a quiet exodus of its security team.

Yesterday, a company called Chaos Labs issued a farewell letter announcing the termination of its partnership with Aave. Most users probably have never heard this name, but over the past three years, every time you borrowed on Aave—your collateralization ratios, liquidation lines, and risk parameters—were shaped by this company.

They also built an automated system called Risk Oracle. It can adjust parameters in real time as the market moves. Using this, Aave expanded from dozens of markets to 250-plus markets across 19 chains. For three years, it oversaw pools worth hundreds of billions of dollars with zero bad debt.

Put simply, smart contracts run on Aave, but the numbers inside those contracts—what they are filled with—have always been guarded by Chaos Labs.

CEO Omer Goldberg’s farewell letter is written quite professionally, and the scorecard lists details in a very granular way. TVL rose from $5.2 billion to more than $25k, cumulative deposits exceeded $2.5 trillion, and liquidations exceeded $2 billion…

Then he said, we proactively proposed terminating the agreement. No one kicked them out, and the contract hadn’t even expired. Meanwhile, Aave founder Stani Kulechov responded very calmly, saying the protocol was operating normally, and that another risk services provider, LlamaRisk, would take over.

It sounds like nothing happened.

But a risk-management team that had managed three years without incident, and then voluntarily left the biggest DeFi lending protocol—this kind of thing is called an omen in traditional finance.

In the statement, Goldberg said the disagreement wasn’t about money. It was that the two parties’ underlying philosophies toward risk management no longer matched.

Less money, more resentment

To retain talent, Aave Labs proposed increasing Chaos Labs’s annual budget from $3 million to $5 million. Chaos Labs still left.

In the statement, Goldberg gave three reasons that had to be reasons for them to leave, but once you read them, you’ll find they point to the same conclusion.

The first is money. Aave’s total revenue for all of 2025 is $142 million, and the budget for risk management is $3 million, accounting for 2%. In traditional banks, the share spent on compliance and risk management is typically 6% to 10%.

Goldberg said they had been losing money doing this for the past three years, and even if the budget increased to $5 million, they would still be operating at a negative profit. He believed the reasonable bottom line was $8 million. Aave’s treasury holds $140 million. Aave Labs just passed a $50 million funding proposal for itself—so it looks like the protocol isn’t short on money. It’s just that they don’t want to give the security team that much.

Second is time. Aave is upgrading from V3 to V4. The underlying architecture, contracts, and liquidation logic are all being rewritten. Goldberg said the only common point between V4 and V3 is the name. During the upgrade, two sets of systems need to run in parallel. The risk team’s workload isn’t halved—it doubles.

Third is responsibility. The legal responsibility borne by DeFi risk-management personnel currently has no clear definition. There’s no regulatory framework and no safe-harbor provisions. When things go smoothly, you’re invisible. When something goes wrong, you’re the first one they look for. Goldberg’s exact words were: If the upside is barely profitable and the downside has no floor, then continuing to do it is, by itself, a terrible risk-management decision.

The author thinks it’s hard to argue against that. A protocol earning $140 million a year gives a team that secures assets worth hundreds of billions only 2% of the budget, then tells them they need to do twice as much work. And if something happens, no one protects them legally.

If it were you, would you do it?

Of course, the other side’s story is different. In his response on X, Aave Labs founder Kulechov suggested that Chaos Labs was already in the process of shrinking its risk-consulting business recently and had started to reduce cooperation with other protocols.

The implication is that the reasons in the farewell letter are more like a dignified narrative for leaving.

Whether it was a clash of理念 or they just took the opportunity to leave, outsiders can’t tell. But one thing is certain: it wasn’t just Chaos Labs that left.

Bear market, sudden overnight rain

Aave is still called Aave, but the people who built it have largely walked out over the past two months.

In February this year, BGD Labs—the core development team behind Aave V3—announced it would not renew. This company was founded by Ernesto Boado, Aave’s former CTO. The V3 code, governance system, and cross-chain deployments all basically came from their hands. After four years, when the contract expired, they left.

BGD’s reasons were very straightforward. Aave Labs is consolidating power into its own hands. The V4 development, brand assets, and social accounts are all controlled by Aave Labs. BGD felt it had no right to participate in the design, yet it would still be held responsible for the results. In traditional companies, this is called being sidelined.

One month later, ACI—the most active service provider within Aave’s governance system—also announced its departure. This eight-person team had driven 61% of governance proposals during the three years. In the farewell letter, founder Marc Zeller said it very directly—the gist being that Aave Labs can use its own voting power to pass its own budget, and that independent service providers no longer matter in this system.

Two farewell letters over two months—one said it had been sidelined, and the other said the rules of the game were unfair.

Then earlier this year, in March, another incident happened.

A risk-management system built by Chaos Labs had a configuration error, causing approximately $27 million in positions to be liquidated incorrectly. At least 34 users were affected. Chaos Labs said no bad debt was generated, and that affected users would receive compensation.

In the end, no one took legal responsibility, because in DeFi there simply isn’t any legal definition of who should be responsible.

But when you manage hundreds of billions of dollars, a mistyped parameter leads to tens of millions of dollars in capital fluctuations—and your legal protection is effectively zero. The risk team repeatedly emphasized this very issue in its farewell letter.

At this point, during the V3 era Aave operated on four pillars: development, governance, risk management, and financial growth. Now the first three have all left.

In the risk team’s farewell letter, there’s a metaphor called the Ship of Theseus. If every wooden plank on a ship is replaced, is it still the same ship?

The Aave name is still there. The contracts are still running. TVL is still rising. But the teams that wrote the code have left, the team that managed governance has left, and the team that managed risk has left. Users continue to deposit and borrow as usual—maybe they don’t even realize that everything under the ship’s hull has already been replaced.

What truly makes people uncomfortable isn’t who left. It’s that after they left, nothing seemed to happen.

Users open the page, deposit, borrow, interest rates are normal, liquidations are normal—everything is business as usual. Unless someone specifically reads the governance forums, most users won’t know what happened over the past two months.

In the short term, maybe nothing really is wrong. Smart contracts won’t shut down just because the risk team left. Pre-set parameters won’t just change by themselves. Aave also has another risk services provider, LlamaRisk, so it isn’t completely bare.

But risk management isn’t a one-time engineering job. Having parameters set doesn’t mean they will always be appropriate. Markets change, assets change, and the methods of attack on-chain also change. If a similar incident happens next time, nobody knows whether the new team can respond as quickly.

Moreover, it’s not a calm, windless time right now.

Aave’s token price has fallen from the August last year peak of $356 to around $96 today—a drop of more than 70%. The entire DeFi lending track is shrinking. On-chain activity is declining. Protocol revenues are under pressure.

During a bull market, risk management is invisible—no one claps because “nothing happened today.” During a bear market, risk management is needed for real. Because asset prices are wildly volatile, liquidation frequency rises, and the probability of black swan events increases—this is precisely the stage that most tests a risk-management team’s experience and response speed.

And precisely at this stage, the most experienced people are the ones who left.

In the farewell letter, the risk team said a line that the author feels is very accurate. Aave was able to beat those more aggressive competitors not because it had more features, but because when others blew up, it didn’t. In this market, survival is the product.

The problem now is that the people who helped it survive might already be gone.