Skip to main content
Avana icon

Risk Framework

Protocol-wide operating rules for risk management across the Avana Hub and LP Collateral Spokes.

Overview

The Avana Risk Framework is the protocol-wide operating system for risk parameter management across the Avana Hub and all LP Collateral Spokes. It governs how the protocol interprets market data and protocol state, including circuit breakers, spot price, utilization, liquidity pool depth, collateral concentration, volatility, peg stability, proof-of-reserves inputs, supply and borrow caps, LT/LTV settings, interest rate models, market status, portfolio composition, and position health.

Avana is not a generic lending market. It is an LP-as-collateral protocol built on Aave v4 infrastructure, supporting stable LPs, correlated-asset LPs, weighted pools, concentrated liquidity positions, and other AMM designs through dedicated spokes. Those markets do not share the same valuation logic, liquidation path, or failure modes, so the framework exists to manage that complexity with clear operating rules.

The framework is built around three deliberately separated roles: the Avana Risk Initiator, the Avana Risk Guardian, and the Avana Risk Defender. The actor that proposes changes should not be the same actor that independently reviews them, and emergency containment should remain narrower than routine risk management.

Core idea: it should always be easier to contain risk quickly than to expand it casually.

Core Principles

Role Separation

Risk recommendation, independent review, and emergency containment are separate responsibilities.

Constrained Execution

Risk changes only execute if they stay inside predefined policy bounds and pass framework validation.

Public Consistency

What is disclosed before submission should match what is actually queued for execution.

Spoke Awareness

Each LP collateral spoke has its own admissibility rules, oracle assumptions, liquidation logic, and risk profile.

Defensive Asymmetry

It should always be easier to reduce risk than to increase it.

Roles

Avana Risk Initiator

The primary recommending authority for routine risk updates across the Hub and LP Collateral Spokes.

  • Publish the rationale and classify the update as defensive or growth-oriented
  • Submit routine updates into the timelocked execution path
  • Recommend supply caps, borrow caps, LT/LTV, reserve factor, and interest-rate changes inside approved ranges
  • Initiate spoke-level de-risking and pool onboarding inside preapproved spoke templates

Avana Risk Guardian

The independent review and veto layer that preserves integrity, consistency, and execution safety.

  • Verify that the queued update matches the public disclosure
  • Check that the action stays inside approved policy bounds
  • Reject updates based on invalid oracle, liquidity, or liquidation assumptions
  • Cancel a queued update during the timelock window when it creates obvious spoke-level or hub-level instability

Avana Risk Defender

The narrow emergency containment role for incidents where the normal timelocked process would create unacceptable exposure.

  • Reduce borrow caps or supply caps to defensive levels
  • Freeze new borrowing on a spoke or freeze collateral usage for a pool, template, or spoke
  • Disable a specific adapter or borrow path when predefined failure conditions are met
  • Block new debt origination under emergency conditions without being used for routine optimization or growth actions

Update Flow

The standard framework flow is designed to be simple, reviewable, and auditable.

1

Public Notice

The Risk Initiator publishes a notice describing the intended update and its rationale.

2

Submission

The Risk Initiator submits the proposed change into the execution path.

3

Validation

The framework checks the update against predefined constraints and policy bounds.

4

Timelock

If valid, the update enters a timelock window before it can execute.

5

Guardian Review

During timelock, the Risk Guardian reviews the exact queued change and may veto it.

6

Execution

If the change is not cancelled, it executes automatically after timelock.

7

Emergency Path

If emergency conditions are met, the Risk Defender may act through a separate defensive path with narrower authority.

Parameter Classes

Not every parameter change should move through the same path.

Defensive Changes

These should be the easiest changes to execute.

  • Lowering borrow caps
  • Lowering supply caps
  • Reducing LTV or liquidation threshold
  • Freezing borrow or collateral usage
  • Tightening spoke settings

Routine Bounded Changes

These move through the standard Initiator -> Guardian -> timelock flow.

  • Modest cap increases
  • Modest parameter tuning inside approved ranges
  • Adding new pools inside an existing spoke template

Governance-Level Changes

These remain outside the routine framework path.

  • Creating a new spoke family
  • Enabling a new LP primitive
  • Adding a new oracle model
  • Enabling a new liquidation adapter
  • Materially expanding the risk surface beyond preapproved assumptions

Public Disclosure

Each routine update should be published in a consistent format before submission.

Minimum disclosure standard

  • Affected spoke
  • Affected pools or templates
  • Current parameters
  • Proposed parameters
  • Reason for the update
  • Whether the update is defensive or growth-oriented
  • Expected submission timing
  • Expected timelock window
  • Relevant dependencies or assumptions

This standard gives developers, users, and the Risk Guardian a clear basis for review.

Emergency Actions

Emergency actions should be rare, narrow, and reversible. The Risk Defender should only act when there is a defined or highly probable failure condition that makes waiting for the normal timelocked process unsafe.

Emergency triggers

  • Oracle inconsistency
  • Liquidation path degradation
  • Abnormal pool behavior
  • Wrapper dependency failure
  • Adapter-level compromise
  • Sudden spoke-level instability

Required post-action disclosure

  • The trigger
  • The action taken
  • The intended duration
  • The path back to normal operation

Emergency authority is a defense mechanism, not a substitute for conservative routine risk management.

Most importantly, the framework separates recommendation, review, and emergency containment because LP collateral is not a single market. It is a family of markets with different structures, assumptions, and failure modes, and the framework is designed to support that diversity with discipline, transparency, and operational control.