Aave is enhancing its risk framework to ensure a more secure environment for every asset within its platforms. This new structure aims to govern all elements associated with Aave V3, V4, and Aave Horizon, establishing rigorous standards for asset onboarding, monitoring procedures, exposure management, and chain deployments.
#How Is Aave Structuring Its Risk Framework?
Aave’s risk framework is built on four key layers that collectively assure the safety of its operations: asset risk, bridging risk, monitoring systems combined with automated oracles, and chain risk. These layers distinctly outline the approach for assessing assets before they are listed, the criteria for ongoing review after they have been onboarded, and guidelines for when exposure should be reduced or eliminated altogether.
This initiative comes in response to the exploit of KelpDAO in April, which highlighted vulnerabilities in bridge configurations and off-chain infrastructures. Such weaknesses can transform a collateral asset into a risk factor for the entire protocol. The exploit led to the minting of around $292 million in unbacked rsETH via the LayerZero bridge, which was then used as collateral on Aave. In light of this, Aave is instituting new benchmarks for bridge disclosures, ensuring verifier independence, enforcing rate limits, introducing automated monitoring systems, and deploying defensive freeze mechanisms.
#What Requirements Are Associated with the Asset Risk Layer?
Under the asset risk layer, every asset presented for listing must satisfy stringent requirements. These include necessary audits, effective bug bounty coverage, adequate liquidity, established timelocks, verified signing authority, legal disclosures, visibility of backing details, and robust issuer operations. Any deficiencies, such as inadequate bug bounty coverage or unresolved audit issues, will constitute hard block conditions that preclude an asset's approval.
Furthermore, asset evaluations will no longer be a one-time check. Instead, Aave requires regular quarterly reviews of each asset's status, with additional assessments triggered by significant changes, like new chain deployments, contract upgrades, modifications to bridge routes, updates to oracle systems, or shifts in reserve backing.
#What Are the New Rules for Cross-Chain Assets?
In relation to bridge risk, Aave will implement stricter rules for assets that operate across different chains. This entails having a clearly documented topology for bridge routes, at least three independent verifiers, timelocked authority adjustments, dedicated pause pathways, route-specific rate limits, around-the-clock incident response protocols, and specialized monitoring teams. Routes failing to meet these mandatory criteria could experience reductions in caps, lower loan-to-value ratios, or be limited in cross-chain functionalities.
Additionally, the framework introduces rapid defensive strategies to mitigate risks that may escalate too quickly for governance to address. Aave can take immediate actions, such as freezing assets or reducing exposure when it detects warning signals, with human oversight required for restoring any limits post-alert.
In an emergency, the designated Risk Stewards will oversee recovery and parameter adjustments following a triggered alert. Should losses still accrue, the Umbrella protocol serves as an additional safeguard for the network.
#Are There Standards for Chain Deployments?
Aave's framework also stipulates criteria governing the chains where it operates. Chains that show insufficient infrastructure, low liquidity, weak governance, or inadequate monitoring support will endure stricter limitations for every asset associated with them. This comprehensive approach aims to secure Aave’s ecosystem while fostering investor confidence and protecting against future vulnerabilities.
By prioritizing rigorous reassessing procedures and implementing systemic safeguards, Aave is taking significant steps to maintain a secure environment for its users and assets. This proactive strategy is essential in a landscape where security threats continually evolve.