What is Umbrella, Aave's new security module (AAVE)?
June 7, 2025
In this post
With the launch of Umbrella, Aave is initiating a complete overhaul of its security logic by allowing users to contribute through a staking mechanism. In this analysis, we break down how Umbrella works, the technical innovations it introduces, and what it brings to both the protocol and its users.
Key Information
- Umbrella is an enhancement of Aave’s current security framework, the Safety Module, designed to cover risks linked to extreme liquidations or bad debt events.
- It introduces a new staking system using yield-bearing assets (aUSDC, aETH, GHO, etc.) in isolated pools with their own risk, yield, and slashing parameters.
- Depositors accept an explicit slashing risk in the event of bad debt on the asset associated with their pool.
- Unlike the Safety Module, which requires governance intervention, Umbrella’s slashing mechanism is automated and solely based on predefined parameters.
- Umbrella enables a more granular and efficient approach to Aave’s security, with the ambition to protect users against bad debt events potentially reaching “several billions,” according to Marc Zeller.
What Is Umbrella?
General Overview
Umbrella is a major evolution of Aave’s security system, deployed on June 5, 2025. It aims to gradually replace the Safety Module with an on-chain, automated, granular, and more efficient insurance mechanism.
Unlike the former model, based on staking AAVE or LP tokens (stkABPT), Umbrella now relies on the staking of productive assets (yield-bearing assets) such as aTokens (aUSDC, aUSDT, aETH; stkGHO) or the GHO stablecoin.
The principle is simple: users deposit their aTokens into specific vaults on Umbrella. In return, they earn additional yield while accepting an explicit slashing risk in case of bad debt (i.e., their deposits can be seized by the protocol if the associated asset faces issues).
The slashing mechanism introduced by Umbrella is automated via specific parameters set for each vault. When a problem is detected on an asset, the predefined slashing rules for that vault are applied immediately, without governance intervention.
This new model creates an incentive equilibrium where riskier vaults must offer higher compensation to attract stakers, resulting in an organic regulation of risk across Aave.
Why Improve the Safety Module?
The original Safety Module, launched in 2020, relied on staking AAVE and stkABPT to cover potential losses in the event of extreme liquidation or insolvency. While innovative at the time, the system had several limitations identified by the DAO:
- Inefficient coverage and pressure on AAVE: the staked tokens (AAVE, stkABPT) were poorly correlated with the assets actually borrowed on Aave (stablecoins, ETH). In case of loss on an asset like USDT, the protocol had to sell AAVE to buy USDT and cover the debt, creating selling pressure and capital inefficiency.
- Subjective slashing: any slashing decision required a governance vote, making the process slow, uncertain, and vulnerable to conflicts of interest. This subjectivity created opacity around the real coverage and the slashing trigger conditions.
- Technical limitations: staking and slashing were limited to Ethereum, making it difficult to protect Aave’s cross-chain deployments. In addition, each staked asset could only generate one type of reward (often in AAVE), limiting flexibility and alignment with new community directions (e.g., rewards in GHO).
Umbrella was designed specifically to address these observed limitations over the years of Aave’s Safety Module.
How Umbrella Works
In practice, each Umbrella Vault allows staking of productive assets (aUSDC, aETH, GHO, etc.) via a strategy compliant with ERC-4626, in exchange for a token representing their deposit (e.g., Umbrella aUSDC). These vaults are isolated from one another and have their own yield, risk, and slashing parameters.
The tokens representing users' deposits generate two yield streams:
- The standard yield from aTokens deposited on Aave;
- An additional yield tied to the slashing risk exposure (Safety Incentive), calculated via an S-curve where emissions peak when a certain liquidity target is reached.
In the event of a liquidity issue or insolvency for a particular asset on Aave, Umbrella triggers a slashing mechanism. Specifically, the protocol first absorbs a configured loss tranche (“first-loss offset,” currently 100,000 units), then automatically burns the affected asset within the corresponding vault once the threshold is exceeded.
Withdrawals are subject to a 20-day cooldown followed by a 2-day exit window, in order to prevent bank runs. This gives Aave sufficient reaction time to manage liquidity crises and absorb shocks, as highlighted by Marc Zeller (founder of ACI), who states that Umbrella can protect users “up to several billions” of dollars.
One of Umbrella’s major strengths is that it introduces an explicit correlation between risk and yield. Pools deemed riskier (more volatile assets, weaker collateral, etc.) will offer higher rewards to attract capital. Users therefore voluntarily choose their level of risk exposure.
Note: Paradoxically, it is currently more profitable to hold sGHO (7% yield) than stkGHO on Umbrella (currently ~5%). This is under discussion in governance, with proposals for reallocation of emissions or increasing the vault cap.
Umbrella Architecture
Umbrella relies on a smart contract infrastructure composed of three main components: StakeTokens, the Rewards Controller, and Umbrella Core.
StakeTokens
The StakeToken is a smart contract that allows users to deposit yield-bearing assets into vaults. Each StakeToken secures a specific asset on a given Aave v3 instance.
For example, staked waUSDC specifically protects the deficit on USDC borrowed on Aave v3 on Ethereum.
Main characteristics of Umbrella’s StakeTokens:
- Technically ERC-4626 vaults
- Fully liquid for deposits, with no cap
- One StakeToken per covered asset, per network
- Withdrawal subject to a cooldown period (20 days) followed by a withdrawal window (2 days)
- Explicit slashing risk in case of bad debt on the associated asset
- In return, stakers earn rewards
- DAO-governed administration: creation of new StakeTokens, cooldown parameters, contract updates
Rewards Controller
When a user stakes tokens in a StakeToken vault, they start earning rewards managed and distributed on-chain by the second key smart contract in Umbrella: the Rewards Controller.
In practice, a Rewards Controller is deployed per blockchain and handles all reward emissions for the corresponding StakeTokens.
Reward system specifics:
- Up to 8 reward tokens per StakeToken (e.g., USDC, AAVE, GHO)
- Each reward follows a dynamic emission curve: Maximum at a defined target liquidity threshold, gentle decrease above that threshold and rapid increase below it to attract deposits
- Rewards configured as “rewards per second,” with an emission cap at the target liquidity
- APY is automatically capped (e.g., at 2× target APY) to prevent temporary farming exploits
This system allows the DAO to efficiently allocate rewards based on an asset’s coverage needs.
Umbrella Core
The final key smart contract is the core of the system: Umbrella Core. It acts as the global controller of StakeTokens for a given Aave pool and automatically triggers slashing in the event of a deficit on a borrowed asset.
How it works:
- One Umbrella Core contract per Aave v3 instance (e.g., Core Ethereum)
- Automatic detection of a deficit (bad debt) on an asset
- Slashing triggered if the deficit exceeds a configured threshold (deficit offset)
- Slashed funds are transferred to the Aave Collector for use in deficit coverage
- The coverage process can then be executed by an entity with the proper role
The slashing logic is fully automated: once a deficit is detected and exceeds the threshold, staked tokens are burned according to the predefined rule. This mechanism eliminates the need for a manual governance vote, unlike the former Safety Module.
For more details, see Umbrella’s presentation on the Aave governance forum
Conclusion and Outlook
With Umbrella, Aave takes a strategic step forward by entirely redesigning its security framework. The model introduces automated, granular, and economically coherent protection against default risk.
It also reduces dependence on governance and more importantly, it removes unnecessary pressure from the AAVE token. This new model aligns with Aave’s broader vision of becoming a truly multi-chain protocol, requiring more modular and adaptable tools.
The key question now is: will the proposed incentives be sufficient to attract enough capital to the riskier vaults? At the time of writing, Umbrella already holds $70 million in TVL just two days after launch.
