Aave Proposes Protocol-Wide Risk Framework After KelpDAO Exploit - "The Defiant"

Aave governance is weighing a protocol-wide risk framework that would apply to every asset on Aave V3, V4, and Aave Horizon, with founder Stani Kulechov saying assets that do not qualify for the new standard will be removed. A companion proposal would shift the Pendle PT risk oracle to protocol-owned infrastructure built on the Chainlink Runtime Environment.

Risk service provider LlamaRisk posted both Aave Request for Comments proposals Tuesday on the Aave governance forum. The broader framework, published Tuesday morning, covers four risk layers: Asset Risk, Bridging Risk, Monitoring and Automated Risk Oracle Systems, and Chain Risk.

"After passing the proposal, the risk framework will be applied across all markets and assets," Kulechov wrote on X Tuesday morning. "Assets that do not qualify for the new standard will be off-boarded from Aave over the coming weeks."

The proposals are Aave's first concrete structural governance response to the KelpDAO LayerZero exploit in April, in which attackers drained 116,500 rsETH, deposited it as collateral across Aave's Ethereum and Arbitrum markets, and borrowed $193 million from the protocol directly. Total attacker-posted collateral reached $221.39 million, according to LlamaRisk's April 20 incident report. A LayerZero incident report in May, covered by The Defiant, found the bridge had been downgraded from a 2-of-2 to a 1-of-1 DVN configuration before the exploit.