Aave's Automated Supply Cap Guard: A Surgical Fix for Flash Exploits

Aave's proposed Automated Supply Cap Updater would tighten deposit limits dynamically to prevent large, rapid collateral injections while preserving legitimate protocol usage. The external contract requires no core upgrades and keeps governance-set caps as absolute ceilings.

The rsETH incident exposed a critical vulnerability in Aave V3's current supply cap architecture. While governance had set reasonable upper bounds on how much of any asset could be deposited, the gap between actual on-chain supply and that ceiling created a dangerous window for exploitation. An attacker could flood the protocol with freshly minted tokens, use them as collateral, and extract value before the deposit could be properly scrutinized. This pattern—rapid-fire collateral injection followed by aggressive borrowing—represents a class of risk that traditional supply caps, as currently implemented, struggle to contain.

Gustavo Narvaja's proposal for an Automated Supply Cap Updater addresses this asymmetry through elegant constraint engineering. Rather than replacing Aave's governance-set caps, the external contract would hold the RISK_ADMIN role and maintain dynamic tightness around actual utilization. The mechanism is straightforward: monitor each reserve continuously, and whenever on-chain supply climbs above a threshold—say 97% of the current cap—automatically inch the cap upward by a small margin, typically 3%. This creates a moving floor that keeps pace with legitimate growth while systematically reducing the usable headroom for sudden, large deposits. Crucially, the contract never allows caps to exceed governance-defined maximums, preserving the protocol's ultimate risk guardrails while restricting tactical windows for exploitation.

What makes this proposal particularly valuable is its implementation simplicity and minimal protocol friction. No changes to Aave V3's core contracts are required; the updater operates as a standalone overlay that exercises existing admin permissions. Parameters remain fully configurable—update frequency, headroom targets, and utilization thresholds can all be adjusted through governance without protocol upgrades. Critically, the Security Council retains veto power and can pause the mechanism instantly if unforeseen dynamics emerge. Early concern that tighter caps might throttle legitimate market activity appears overblown; the approach deliberately allows steady, high-utilization reserves to expand gradually, limiting only sudden, out-of-character supply surges that historically signal either protocol stress or malicious activity.

The proposal signals a broader shift toward defensive automation in DeFi governance. Rather than waiting for risk incidents to be discovered, then voting through reactive changes, Aave is moving toward parametric safeguards that adjust proactively to market conditions. If implemented and tuned successfully, this model could inform how other lending protocols tighten their own cap mechanics without sacrificing composability or user experience.