Who Guards Aave Now? The Silent Departure of DeFi's Largest Security Team

The largest DeFi lending protocol is undergoing a silent exodus of its security team.

Yesterday, a company called Chaos Labs published a farewell letter announcing the end of its partnership with Aave. Most users have probably never heard the name, but for the past three years, every collateral ratio, liquidation threshold, and risk parameter on Aave was set by this firm.

They also built an automated system called Risk Oracle that adjusts parameters in real time based on market conditions. With this system, Aave scaled from a handful of markets to over 250 across 19 chains. Three years managing hundreds of billions of dollars in liquidity pools, zero bad debt.

Put simply: smart contracts power Aave, but Chaos Labs decided what numbers went inside them.

CEO Omer Goldberg's farewell letter was gracious, and the track record he laid out was impressive: TVL grew from $5.2 billion to over $26 billion; cumulative deposits exceeded $2.5 trillion; liquidations surpassed $2 billion.

Then he said: "We proactively proposed terminating the contract." Nobody fired them. The contract hadn't expired. Aave founder Stani Kulechov responded coolly, saying the protocol continues to operate normally and that another risk provider, LlamaRisk, would take over.

It sounds like nothing happened.

But when a risk management team with a flawless three-year track record voluntarily walks away from the largest DeFi lending protocol, that's what traditional finance would call a red flag.

In his statement, Goldberg said the disagreement wasn't about money. It was about a fundamental misalignment in how the two sides view risk management.

2% Budget, 100% Liability

To keep Chaos Labs, Aave Labs offered to raise their annual budget from $3 million to $5 million. Chaos Labs still walked.

Goldberg gave three non-negotiable reasons for leaving, but they all point to the same conclusion.

First: compensation. Aave generated $142 million in revenue in 2025 and allocated just $3 million to risk management, roughly 2%. Traditional banks typically spend 6% to 10% of revenue on compliance and risk controls.

Goldberg said the team had been operating at a loss for three years. Even at $5 million, the work would still be unprofitable. He considers $8 million the reasonable floor. Aave's treasury holds $140 million, and Aave Labs recently passed a $50 million funding proposal for itself. The protocol isn't short on cash. It just doesn't want to spend that much on security.

Second: workload. Aave is upgrading from V3 to V4, a complete rewrite of its underlying architecture, contracts, and liquidation logic. Goldberg said V4 and V3 share exactly one thing: the name. During the transition, both systems must run in parallel. The risk management workload doesn't get cut in half. It doubles.

Third: liability. Legal accountability for DeFi risk managers is completely undefined. There is no regulatory framework. No safe harbor provisions. When things go well, you're invisible. When something breaks, you're the first one held accountable. As Goldberg put it: if the upside is razor-thin margins and the downside is unlimited liability, then continuing to operate is itself a bad risk management decision.

That's a hard argument to counter. A protocol earning $140 million a year allocates 2% to the team safeguarding hundreds of billions in assets, asks them to double their workload, and offers zero legal cover if something goes wrong.

Would you stay?

The other side, of course, tells a different story. On X, Aave Labs founder Kulechov implied that Chaos Labs had already been winding down its risk consulting business and reducing engagements with other protocols.

The subtext: the reasons in the farewell letter are less a principled stand and more a graceful exit narrative.

Whether this was a genuine philosophical split or a convenient off-ramp is impossible for outsiders to judge. But one thing is clear: Chaos Labs isn't the only departure.

When It Rains, It Pours

The name is still Aave, but the people who built it have largely walked out over the past two months.

In February, BGD Labs, the core development team behind Aave V3, announced it would not renew its contract. Founded by former Aave CTO Ernesto Boado, BGD wrote virtually all of V3's codebase, governance system, and cross-chain deployments. After four years, the contract expired and they left.

BGD's reasoning was blunt: Aave Labs has been consolidating control. V4 development, brand assets, and social media accounts are now firmly in Aave Labs' hands. BGD felt it had no say in the design process but was still on the hook for outcomes. In corporate terms, they were sidelined.

A month later, ACI, the most active service provider in Aave's governance ecosystem, also announced its departure. This eight-person team was behind 61% of Aave's governance proposals over three years. Founder Marc Zeller was direct in his farewell: Aave Labs can use its own voting power to approve its own budgets. Independent service providers have no real role left in this system.

Two farewell letters in two months. One said they were sidelined. The other said the game was rigged.

Then in March, another incident hit.

A configuration error in Chaos Labs' risk management system triggered erroneous liquidations totaling roughly $27 million, affecting at least 34 users. Chaos Labs confirmed no bad debt resulted and that affected users would be compensated.

No one bore legal liability, because DeFi has no legal framework that defines who should.

But when you're managing hundreds of billions in assets, a single misconfigured parameter can move tens of millions. And your legal protection is zero. That is exactly the issue the risk team kept hammering in their farewell letter.

So here's the picture: Aave's V3-era operations rested on four pillars: development, governance, risk management, and growth. Three of the four are now gone.

The risk team's farewell letter invoked the Ship of Theseus. If you replace every plank on a ship, is it still the same ship?

The Aave name remains. The smart contracts keep running. TVL keeps climbing. But the team that wrote the code is gone. The team that ran governance is gone. The team that managed risk is gone. Users keep depositing and borrowing, most of them with no idea that everything underneath has been swapped out.

What's truly unsettling isn't who left. It's that nothing seemed to change after they did.

Users open the page, deposit funds, borrow assets. Interest rates look normal. Liquidations work fine. Everything appears the same. Unless you're actively reading the governance forum, you'd have no idea what happened over the past two months.

In the short run, maybe nothing does go wrong. Smart contracts don't shut down because the risk team quits. Pre-set parameters don't change on their own. And Aave still has LlamaRisk as a backup, so it's not completely flying blind.

But risk management is not a set-it-and-forget-it job. Parameters that work today won't necessarily work tomorrow. Markets shift, assets evolve, and on-chain attack vectors keep changing. Whether the new team can respond as quickly when the next crisis hits is anyone's guess.

And this is not happening during calm waters.

AAVE's token price has dropped over 70% from its August high of $356 to around $96 today. The broader DeFi lending sector is shrinking, on-chain activity is falling, and protocol revenues are under pressure.

In a bull market, risk management is invisible. Nobody applauds another day without incident. In a bear market, risk management becomes critical: asset prices swing violently, liquidation density spikes, and black swan probability climbs. This is precisely when a risk team's experience and reaction speed matter most.

And precisely at this moment, the most experienced team has walked out the door.

The risk team's farewell letter included one line that cuts to the core: Aave didn't beat more aggressive competitors by offering more features. It won because others blew up and it didn't. In this market, survival is the product.

The question now is whether the people who kept it alive are already gone.

If you find this helpful, feel free to follow us for future updates. ❤

• X : @blockflow_news
• Telegram: t.me/blockflownews