Aave founder Stani Kulechov announced a new four-layer risk framework prepared by LlamaRisk, binding across V3, V4, and Horizon, with a $50,000 bug bounty floor and a three-verifier bridge minimum.
Posted June 10, 2026 at 5:45 am EST.
Aave founder Stani Kulechov said Tuesday that a new risk framework has been proposed for the protocol, the first concrete structural governance response to the $292 million KelpDAO bridge exploit in April. The proposal was prepared and published by risk firm LlamaRisk and is open for evaluation by Aave governance.
The framework’s defining feature is that it is binding. It sets the standard that governs every asset across Aave V3, V4, and Aave Horizon at onboarding, at every quarterly due diligence refresh, at every material-change re-evaluation, and at every parameter or deprecation decision. “Over the past several weeks, Aave has been developing a new risk framework that includes asset risk, bridging risk, chain risk, and advanced automation capabilities for risk management,” Kulechov said in a social media post, adding that it establishes a new standard for how Aave assesses, monitors, and manages risk.
This story is an excerpt from the Unchained Daily newsletter.
Subscribe here to get these updates in your email for free
The framework is organized into four layers. Layer 1, Asset Risk, governs the asset lifecycle and carries hard-block conditions, including a minimum $50,000 bug bounty floor for critical findings regardless of total value locked. Layer 2, Bridging Risk, sets a mandatory baseline of at least three independent verifiers on any route carrying Aave exposure, directly addressing the failure mode behind the KelpDAO incident. Layer 3 covers monitoring and automated risk oracle systems, and Layer 4, Chain Risk, gates whether Aave should deploy on a given chain at all.
The KelpDAO incident sits at the center of the proposal’s logic. Attackers exploited a single-verifier configuration in KelpDAO’s LayerZero-powered bridge in April, minting 116,500 unbacked rsETH worth approximately $292 million. The attacker deposited the tokens as collateral on Aave and borrowed roughly $193 million, generating $124 million to $230 million in bad debt depending on how losses were socialized.
The framework also codifies two automated mechanisms built on the Chainlink Runtime Environment and owned by the Aave DAO: an Automated Freeze Guardian that halts a reserve when a hard adverse signal is detected, and a Supply and Borrow Cap Oracle that pulls caps down automatically as an asset’s risk surface degrades. Both are defensive by design, able to tighten exposure on their own, while any loosening requires human review through governance or Risk Stewards.
Related Listen: Is ‘All of DeFi Unsafe’? What You Need to Know About Holding Assets Onchain
DeFi,Aave,DeFi risk management,KelpDAO,LlamaRisk,yahooAave,DeFi risk management,KelpDAO,LlamaRisk,yahoo#Aave #Proposes #Binding #Risk #Framework #Million #KelpDAO #Exploit1781095777
