LlamaRisk has submitted two Aave governance proposals covering a four-layer protocol-wide risk standard and a PT oracle upgrade to Chainlink CRE. Founder Stani Kulechov says assets that fail the new standard will be off-boarded.
Aave governance is weighing a protocol-wide risk framework that would apply to every asset on Aave V3, V4, and Aave Horizon, with founder Stani Kulechov saying assets that do not qualify for the new standard will be removed. A companion proposal would shift the Pendle PT risk oracle to protocol-owned infrastructure built on the Chainlink Runtime Environment.
Risk service provider LlamaRisk posted both Aave Request for Comments proposals Tuesday on the Aave governance forum. The broader framework, published Tuesday morning, covers four risk layers: Asset Risk, Bridging Risk, Monitoring and Automated Risk Oracle Systems, and Chain Risk.
“After passing the proposal, the risk framework will be applied across all markets and assets,” Kulechov wrote on X Tuesday morning. “Assets that do not qualify for the new standard will be off-boarded from Aave over the coming weeks.”
The proposals are Aave’s first concrete structural governance response to the KelpDAO LayerZero exploit in April, in which attackers drained 116,500 rsETH, deposited it as collateral across Aave’s Ethereum and Arbitrum markets, and borrowed $193 million from the protocol directly. Total attacker-posted collateral reached $221.39 million, according to LlamaRisk’s April 20 incident report. A LayerZero incident report in May, covered by The Defiant, found the bridge had been downgraded from a 2-of-2 to a 1-of-1 DVN configuration before the exploit.
The Four-Layer Framework
The framework governs Aave V3, V4, and Aave Horizon. It applies at asset onboarding, at quarterly due diligence refreshes, and at every subsequent parameter or deprecation decision.
Layer 1 covers Asset Risk, requiring audit coverage, active bug bounty programs, sufficient liquidation liquidity, timely timelocks, and issuer operational disclosure. Hard-block conditions include missing or materially weak bug bounty programs, undisclosed signer composition, and refusal to disclose the operational stack. A hard block stops onboarding entirely; for already-listed assets, it triggers an immediate exposure-tier review.
Layer 2 addresses Bridging Risk, setting a binding floor on verifier-set thresholds for any asset that crosses chains. The requirement is vendor-agnostic: it applies regardless of which bridge stack the issuer uses. An asset whose bridge configuration falls short on any mandatory item receives a tightened exposure tier, including lower loan-to-value ratios and lower supply caps, until remediation is complete. The rsETH exploit ran through exactly this gap: the Unichain-to-Ethereum route was configured as a 1-of-1 DVN, allowing a forged inbound packet to release 116,500 rsETH from the adapter without any corresponding source-side burn.
Layer 3 codifies monitoring and automated risk oracle systems as standing protocol infrastructure, not optional tooling. Layer 4 addresses Chain Risk, establishing evaluation criteria that gate whether Aave deploys on a chain at all and setting a standing upper bound on the exposure tier of every asset listed on that chain.
Each recommendation the framework generates carries a one-month implementation deadline. Recommendations not implemented within one month automatically convert into hard constraints on the asset’s exposure tier.
Protocol-Owned PT Oracle
The companion ARFC proposes migrating the Pendle PT risk oracle from the current arrangement to protocol-owned infrastructure on the Chainlink Runtime Environment, known as CRE.
The core change is ownership. Under the prior setup, risk managers held write authority over key oracle parameters with limited on-chain auditability. Aave Governance owned the destination contracts, but not the offchain system computing the inputs. Under the proposed structure, Aave Governance would own every contract on the path. LlamaRisk holds only an Updater role on a new onchain ParameterRegistry, allowing it to tune per-asset methodology parameters without a full CRE redeploy.
LlamaRisk has been running the PT oracle manually and pushing parameter changes through the Risk Stewards path since Chaos Labs stepped down from Aave risk management in April. The governance forum post calls that arrangement “a transitional path that was never meant to be permanent.”
Three Chainlink CRE workflows would replace the manual process. The workflows compute smoothed implied rates, discount rates, and per-E-Mode liquidation parameters for each Pendle PT market, each publishing a signed report that a new onchain router validates. The router writes atomically to the oracle and triggers execution in a single transaction. Every parameter change is recorded on-chain and independently verifiable.
Certora audits will cover both the new contracts and the CRE workflow code. Two of the three new contracts, the LlamaguardRiskOracle and ParameterRegistry, were already audited by two security teams as part of an earlier LlamaGuard NAV deployment. The router is the only component without prior audit coverage.
Arc Context
Tuesday’s filings follow two earlier milestones in Aave’s recovery from the April exploit. In May, Aave restored WETH loan-to-value ratios across Ethereum, Arbitrum, Base, Mantle, and Linea as part of the rsETH recovery plan. The same month, LayerZero published its full incident report, which found the bridge had been downgraded from a 2-of-2 to 1-of-1 DVN configuration before the exploit.
Both ARFCs are in the community feedback stage. If they reach community consensus, each would move to a Snapshot vote before advancing to an on-chain Aave Improvement Proposal.
