Chaos Labs is ending its three‑year Aave mandate after a $27m oracle fiasco, deep governance infighting, and mounting fears over who is legally liable when DeFi risk breaks.

Chaos Labs, the risk firm that has “priced every loan initiated on Aave and managed risk across all Aave V2 and V3 markets and networks” since late 2022, is walking away from the protocol after concluding “the engagement no longer reflects how we believe risk should be managed.” In an announcement echoed by BSCN on X, the company said Monday it is “proactively terminating its engagement with DeFi’s largest lending protocol @aave, citing a fundamental disagreement over how risk should be managed,” and warning that DeFi risk managers currently operate without a clear regulatory framework or safe harbor if something breaks.

The departure lands as Aave, which has processed roughly $3.33 trillion in cumulative deposits and nearly $1 trillion in loans and recently crossed $50 billion in total value locked, faces mounting internal and external scrutiny over governance, risk, and legal exposure.

Chaos is the third core contributor to step back from Aave in recent months, after governance shop Aave Chan Initiative and core technical team BGD Labs each disclosed plans to end their mandates amid disputes over power, budgets and roadmap control inside the DAO. ACI founder Marc Zeller framed his own exit as the product of a protracted power struggle, warning that a recent vote handed Aave Labs “the largest budget in DAO history,” while BGD told tokenholders “we will not be seeking a renewal and will cease our contribution to Aave” once its contract expires. These fractures are emerging even as Aave continues to command roughly 30–40% of the DeFi lending market and nearly a quarter of sector TVL, underscoring how governance tensions can flare precisely when protocols reach systemically important scale.

Chaos Labs’ break with Aave follows a series of oracle and risk‑engine incidents that have already driven uncomfortable questions about who is accountable when automated risk systems misfire. In March, a misconfigured Chaos Labs oracle on Aave caused erroneous liquidations of around $26.9 million in positions using staked Ether collateral, after the CAPO risk agent reported an inaccurately low price ratio and pushed several accounts below their health‑factor thresholds. A separate post‑mortem and external coverage estimated roughly $27 million in forced liquidations triggered when wrapped staked Ether was undervalued by about 2.85%, affecting at least 34 high‑leverage positions before parameters were manually corrected. Chaos Labs and Aave have emphasized that no bad debt was incurred and that affected users would be reimbursed, but the episode illustrates the legal gray zone the firm now highlights: risk managers are making protocol‑wide decisions that can move tens of millions of dollars in seconds, yet operate without explicit regulatory safe harbor or clearly defined liability regimes if those decisions go wrong.

The exits of Chaos Labs, ACI and BGD Labs leave Aave’s DAO with fewer seasoned operators just as the protocol rolls out its next‑generation v4 architecture and pushes deeper into institutional‑grade features. Aave’s total value locked sits in the tens of billions of dollars and the protocol has grown its TVL by more than 50% in certain recent quarters, outpacing the broader DeFi sector and making its risk governance choices a live concern for markets well beyond crypto‑native users. With multiple core contributors now publicly criticizing governance dynamics and risk alignment, Aave’s community will be forced to answer the question Chaos Labs has implicitly posed: who, exactly, bears responsibility when decentralized risk systems break at scale?