During the recent USDC volatility events, we received a large number of questions on protocol emergency risk controls. Protocols we serve have a range of features that temporarily disable some functionalities. We review these features here for visibility and to facilitate faster responses should emergency actions be considered again in the future.
Aave has two different modes that reduce protocol functionality: a less restrictive Freeze and a more restrictive Pause. The Aave Guardian is a multi-sig address held by elected community members that are in charge of using these tools. The table below shows which protocol functionalities are disabled in each mode. We note that on Aave V2, it is possible to Freeze a single asset, but this granularity does not extend to Pause. The Aave V2 protocol applies the same restrictions to all assets when a Pause is implemented.
Aave V3 introduces more granularity to risk features. Unlike Aave V2, the pause function can be applied to specific assets, leaving the rest of the protocol active. We note, however, that the Pause and Freeze functionalities apply equally across all V3 modes. This means, for example, that Freezing or Pausing an asset in eMode will apply the same restrictions outside of eMode as well. Also, V3 introduces several specialized risk management tools, which are further discussed below.
Aave V3 allows Aave Governance to grant risk managers permission to update parameters without going through a governance vote for every change. This is a useful tool that could allow the creation of a Risk Council to manage the protocol in extreme scenarios, as discussed in this forum thread. By allowing the Risk Council to make urgent parameter adjustments independently, the community can avoid costly delays and governance overload. While a Risk Council has not been formed for Aave V3 as of this writing, Gauntlet generally supports the idea alongside other protocol contributors.
Price Oracle Sentinel
The Sentinel feature introduces a grace period for liquidations and disables borrowing under specific circumstances. This is intended to prevent unnecessary liquidations during L2 downtimes or oracle malfunctions.
Governor Bravo Protocols
A number of protocols use versions of the Governor Bravo module first implemented by Compound. These protocols designate a Pause Guardian address, which is usually held by a community multi-sig. The Pause Guardian can disable the Mint, Borrow, Transfer, and Liquidate functions for individual assets. We note that the Pause Guardian cannot unblock these functions, so any subsequent actions to restore functionality must be done by normal governance. Also, the Pause Guardian cannot disable Redeem or Repay Borrow. As a result, emergency actions on Governor Bravo protocols can stop users from opening new positions or being liquidated, but cannot prevent users from leaving the protocol.