Aave’s bug bounty program has been updated to better align payouts with the risk profile of each part of the ecosystem and to simplify review paths. Payout caps for critical bugs are now five times larger for Aave V4 and Core Aave V3.​​​​​​​​​​​​​​​​ Details below.

Past days has been extremely hardcore for our team and DeFi in general. DeFi went trough a substantial stress test and the consequences were felt. It definitely was the hardest couple of weeks that I experienced in my life and during the past decade building in the space. I am still writing this with couple of hours of sleep per day so bear with me. For me personally, the rsETH bridge incident was unfortunate as our team and community has put so much effort into securing the protocol and seeing the exploit happening outside of the protocol smart contracts, and affecting the markets is hard to watch even when the markets had (and still have) full backing like Mainnet Core. That being said, Aave has seen multiple market/credit cycles and always has been able to prove its resiliency. I have more confidence in DeFi today than ever, not because of the industry is stepping up and improving security practices, but because there is a true community behind DeFi that is willing to help and do whatever it takes to ensure our space has future. I want to say that during all this madness there were lot of people that were extremely supportive and proactive to mitigate any issues and contagion. At the first glance, from Aave's perspective we were positive that we would find a resolution and we had overall balance sheet, protocol revenue and external/public support to over come the issue from Aave's perspective but what we understood is that the issue was beyond Aave. It was about restoring the whole state of DeFi, avoid contagion and ensuring that the whole ecosystem overcome this incident not solely Aave. DeFi United started as an initiative from DeFi protocols that were affected but eventually became an industry wide movement to save DeFi and bring protocols together. I am grateful for all the contributions and support that everyone has been providing and can say that this wouldn't be possible without it. I'd hope that DeFi United becomes a permanent movement in some shape or form with the right form factor. DeFi United was executed at insane speed and other constraints but there could be a model that could continuously support the industry from the unexpected. I'd say during the past week lot of people stood up and I really don't have the space to mention everyone (you know who you are) but specifically I want to say that @MikeSilagadze deserves more respect from the space than anyone else atm, he went above and beyond and was willing to sacrifice a lot to solve what actually wasn't something cause by his efforts. Full respect. @LidoFinance team also deserve special credit, this team truly cares about DeFi and was extremely helpful along the way. They deserve full credit. @gdog97_ deserves credit as well, who helped to brainstorm various solutions and also stepping in with Ethena and helping on coordination. @arbitrum community for doing the right thing and rescuing the funds from the bridge contract that was a difficult but the right call. @Mantle_Official @Bybit_Official team for stepping up as well and showing strong support. The team has been supportive and truly cares about making the space safe. Last but not least lot of credit goes to @ethereumJoseph who really stepped in to help DeFi and the ecosystem. Joe cares about Ethereum, he cares about DeFi and understand the importance of DeFi for the future of Ethereum. We have truly good people within our community. These folks are true guardians of our space (among others on my long list) that really want DeFi to win. I feel very optimistic now about our space, it is true that events like these can be a setback but in reality it builds resiliency, which our space stands for, and over time that is hard to beat by legacy systems. The past week we had to operate in multiple different constraints from time, information, resources, governance and other. We had to move as fast as we could as time was against us. It was a large coordination effort that we haven't experienced so far. I'd like to give most of this credit to our team and community especially @Token_Logic and @LlamaRisk who went also above and beyond to find resolutions and coordinate. There has been some banter about right type of market structure for onchain lending between shared or isolated pools but the reality is that when capital moves, it moves at scale and market structures are less of a mitigating factor. These kinds of times require to find solutions fast and reestablish the trust in the markets and the technology, that's whats important. All this being said there are some great learnings from this indecent like from any incident and we as any other team involved will share a post mortem and steps to improve anti-fragility. I might be now less bullish on onchain lending as infrastructure and more leaning towards a model where the market structures need to be backed by strong balance sheets and risk transfers, however this is another discussion for the future as issues can stem outside of the protocol's control. Now as the markets on Ethereum mainnet Core are restoring, our team continues to execute the technical plan to restore rest all the markets. Thank you for everyone who has been supportive and we will keep you up to date as we progress. DeFi United.

The joint effort striving to fully recapitalize @KelpDAO rsETH speaks to the shared accountability of leaders in our industry; to serve the common good first and foremost. We are proud to be working together with @aave labs, @Token_Logic, @chainlink, and @Certora as an Aave Service Provider. The rapid response and tight coordination of Aave SPs in a time of need helped make this possible. In spite of the intense pressure, DeFi comes together to put users first. There’s a long road ahead and it will not be easy, but we stand united. DeFi will win.

Aave service providers have been leading the DeFi United effort to restore rsETH's backing since the April 18 incident. We believe ecosystem collaboration matters most in moments like this, and our priority is achieving the strongest possible available outcome for users. Multiple strong indicative commitments are now in place to join this effort toward restoring the backing of rsETH. This includes @LidoFinance, whose contributors have published a proposal today to their DAO to participate in the joint recovery effort. Lido is one of many partners who are stepping up. We will continue to announce further commitments as they are formalized.

Update on rsETH incident: @LlamaRisk has published a report outlining the rsETH incident, the immediate actions taken, its impact on Aave, and potential paths forward. All service providers have been working to assess the two potential bad debt scenarios on the Aave protocol. Aave DAO service providers are also leading an effort with ecosystem participants to address any bad debt. This effort already has several indicative commitments from various parties and we are grateful for the strong support we have received so far. We will share further updates as we have them. In the meantime, the full report can be read here:

Supply caps across several assets on Aave V4 have been reached again. @LlamaRisk proposed another cap increase to accommodate demand. Security first: V4 deposit caps start conservative by design. As caps fill, risk managers evaluate and propose increases to meet demand.

Umbrella is @aave’s on-chain backstop for realized reserve deficits and a key part of the protocol’s risk framework 🧬 In our latest LlamaRisk Insights, we break down what Umbrella covers, slashing triggers, and why the DAO-funded Deficit Offset is the true first-loss layer. 👇 Umbrella is designed to mitigate realized, on-chain reserve deficits that are explicitly reflected in Aave’s accounting. It provides liquidity only after losses are realized and the reserve deficit exceeds the Deficit Offset, and doesn’t include unrealized deficits, such as temporary market deviations or off-chain insolvencies that are not reflected in Aave’s price oracles. Currently, Umbrella is deployed only on Aave V3 Core and covers reserve-side debt, not collateral positions. Coverage is reserve-specific and non-fungible, meaning liquidity allocated to one reserve cannot be used to cover another. Covered reserves currently include WETH, USDC, USDT, and GHO, with additional assets (USDe, WBTC) expected following the Umbrella Expansion Proposal. Importantly, coverage is limited to actual staked liquidity, not DAO-defined target levels. How & When does Umbrella activate? Umbrella only triggers after a realized reserve deficit is recorded on-chain. If the deficit exceeds the existing Deficit Offset, Umbrella reduces the staked liquidity for the affected reserve by a proportional amount, burning the corresponding aTokens to offset the shortfall. This process is entirely post-event and reactive. Deficit Offset: the first-loss layer A key point often misunderstood: Umbrella stakers are not the first-loss protection layer. The Deficit Offset is a DAO-funded buffer intended to absorb losses before Umbrella liquidity is used. The DAO (or Finance Committee under mandate) is expected to periodically cover this buffer using protocol revenues such as protocol fees, SVR, and liquidation proceeds. Only the portion of a realized deficit that exceeds the Deficit Offset is passed on to Umbrella.