First it misconfigured an oracle and wiped out $26.9 million in Aave positions. Then it quit its most prestigious client. Then North Korea came knocking. When exactly does a “chaos” brand name stop being ironic?
Chaos Labs — the risk management firm that once proudly boasted it had “priced every loan on Aave since November 2022” — is having a very bad spring. In a span of less than 60 days, the company has lurched from a multi-million-dollar oracle blunder, to a spectacular falling-out with DeFi’s biggest lending protocol, to what cybersecurity professionals are describing as a suspected nation-state cyberattack. Meanwhile, the protocols it once served are quietly packing their bags and heading for Chainlink.
The Bug That Started It All
The unravelling began on 10 March 2026, in the wstETH/stETH lending pool on Aave. Without warning, a misconfigured Chaos Labs price oracle reported that wrapped staked Ether was worth 2.85% less than its actual market price. In highly leveraged DeFi lending, 2.85% is not a rounding error — it is the margin between a healthy position and forced liquidation.
Thirty-four positions were wiped out. Total erroneous liquidations: $26.9 million. The market hadn’t crashed. No attack had occurred. A stale parameter in one oracle feed had done it alone.
Chaos Labs was apparently embarrassed enough to live up to its own name — the firm promised to reimburse affected users. The incident passed. But it did not go unnoticed.
The Divorce From Aave — and What It Revealed
Three weeks before the oracle bug, Aave Chan Initiative lead Marc Zeller had already announced his exit from Aave’s governance structure. BGD Labs followed on 1 April. Then, on 6 April, Chaos Labs CEO Omer Goldberg posted to the Aave governance forum with a lengthy farewell, citing “fundamental disagreements over risk”, an “unsustainable” budget situation, and the legal exposure of operating without regulatory safe harbour.
Goldberg said Chaos had been operating its Aave engagement at a loss for three years. He wanted $8 million per year for the expanded scope of Aave V4. Aave Labs offered $5 million. Goldberg walked.
But Aave founder Stani Kulechov’s public response added a dimension the polished exit announcement had omitted. Chaos Labs, Kulechov wrote, had also been pushing to become the sole risk manager on all Aave deployments — replacing Chainlink’s oracles with its own on every new deployment, and installing Chaos’s own unaudited vaults as the default for all institutional integrations.
“We strongly believe that, given the scale of the Aave protocol, it should maintain at least a two-layer risk management model and vendor lock-in free vaults,” Kulechov stated bluntly. In other words: Chaos had tried to monopolise Aave’s risk infrastructure, been refused, and then framed the rejection as a principled departure over budget.
The DeFi community took note.
Then the Hackers Arrived
On 4 May, Chaos Labs detected suspicious activity targeting its operational wallets — the keys used for routine on-chain functions. The company entered what it described as a “full lockdown”, rotating all affected keys and bringing in external cybersecurity professionals and law enforcement.
On 8 May, Goldberg confirmed: the Chaos Oracle Network itself had not been compromised. The attack “never reached” the core oracle infrastructure. “The authorities and cyber professionals working with us have characterised the activity as consistent with nation-state attacks,” Goldberg wrote. “The investigation continues.”
Nation-state attacks on crypto infrastructure have a well-established perpetrator profile. North Korea-linked groups — most prominently Lazarus and its sub-units — stole at least $578 million in crypto during April 2026 alone, according to blockchain investigators. Pyongyang has denied involvement in global cybercrime operations, calling such accusations unfounded.
Chaos Labs has not publicly named a suspected actor. But the framing of “nation-state” in the context of DeFi protocol infrastructure attacks is rarely accidental.
The Exodus to Chainlink
In the aftermath of the attack warning, the verdict from Chaos Labs’ remaining clients arrived swiftly and without fanfare.
Tydro — the largest lending protocol on Kraken’s Ink Layer 2 network, with total market size recently surpassing $700 million — had been notified of the attack on 4 May and immediately halted all markets “out of an abundance of caution.” As of 8 May, Tydro confirmed it would keep markets offline until a full migration to Chainlink’s oracle infrastructure was complete, adding a 48-hour timelock before any reopening. A post-mortem covering “oracle hardening and multi-oracle redundancy plans” would follow.
Kelp DAO, which suffered a catastrophic $292 million exploit in April 2026 linked to its rsETH infrastructure, has simultaneously announced it is migrating its restaking token oracle services to Chainlink.
Solv Protocol, exploited for $2.7 million in March, has announced plans to move parts of its cross-chain infrastructure from LayerZero to Chainlink, citing the broader pattern of security incidents.
Three protocols. Three Chainlink migrations. In 48 hours.
What This Means for DeFi’s Oracle Problem
The Chaos Labs saga is not merely a story about one firm’s bad run of luck. It is a stress test of a structural assumption embedded throughout DeFi: that a single, trusted oracle provider can be the sole arbiter of price for billions of dollars in collateral.
Aave’s Kulechov articulated the lesson explicitly when he refused Chaos’s monopoly bid: “vendor lock-in free vaults” and “at least a two-layer risk management model.” When a 2.85% misconfiguration can cause $27 million in erroneous liquidations, the cost of oracle monoculture becomes very real, very fast.
The irony is acute. Chaos Labs built its reputation on making DeFi safer. It priced every Aave loan for over three years, oversaw $2.5 trillion in cumulative deposit volume, and managed $2 billion in liquidations without material bad debt. Its own post-mortem of the oracle bug was transparent; it reimbursed users.
And yet. A company called Chaos Labs ends its tenure with an oracle that liquidated $27 million in healthy positions, an acrimonious exit from its flagship client, a suspected state-level cyberattack, and an industry-wide migration to its primary competitor.
At some point, the brand name stops being a coincidence.
This is a developing story. Chaos Labs’ investigation is ongoing and further details on the suspected nation-state attacker are expected to be released.
