Aave Protocol
About
Aave is a decentralized non-custodial liquidity protocol enabling permissionless lending and borrowing across multiple blockchain networks. The protocol offers different products including Aave App for simple savings, Aave Pro for advanced DeFi strategies, and Aave V3/V4 as the core lending infrastructure. Users can supply assets to earn interest or borrow against overcollateralized positions.
Where Does Yield Come From?
People who supply assets to Aave earn yield primarily from interest payments made by borrowers. Borrowers take loans from shared pools of funds, and they pay interest on those loans.
The interest rates borrowers pay are set automatically by formulas that look at how much of the pool is being used. Rates go up when usage is high, and they rise especially sharply after a certain usage point (often called the 'kink'). Borrowers can choose between variable rates that change often, or stable rates that are more predictable.
A portion of the interest paid by borrowers is kept by the protocol as a fee (called the reserve factor). This fee helps maintain the protocol's safety reserves. The rest of the interest goes to the people who supplied the funds.
Besides interest, there are other potential sources of yield:
- Governance token rewards for staking AAVE tokens in the Safety Module. This staking provides a backstop to protect the protocol in case of shortages.
- Possible liquidity mining programs that may offer extra rewards.
To keep suppliers' funds safe, the protocol requires borrowers to provide more collateral than they borrow (this is called overcollateralization). If a borrower's collateral value falls below a safe level, it is automatically sold (liquidated) to repay the loan. Interest rates adjust dynamically based on supply and demand across different asset pools.
Persons
Stani Kulechov
CEO
Aave Labs
Original author and key contributor
LinkedIn
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
ChainSecurity06-10-2025 - 28-01-2026 |
| The audit revealed several medium and low-severity issues, all of which were resolved by the Aave Labs team, indicating a responsive security posture during the engagement. The ongoing review of subsequent code versions suggests continued diligence in addressing security concerns. |
Trail of Bits10-02-2026 |
| The audit identified moderate risks in deficit reporting and liquidation mechanics, with the codebase showing generally sound arithmetic practices and architectural separation. Trail of Bits recommends addressing the medium-severity findings and enhancing invariant fuzzing for continuous security validation. |
Blackthorn06-10-2025 - 20-10-2025 |
| The audit revealed no critical vulnerabilities, with two medium-severity issues related to asset rounding and dead share yield loss, plus several low-risk findings mostly addressed or acknowledged by the Aave team before the February 2026 final report date. |
Pashov Audit Group29-11-2025 - 03-12-2025 |
| This audit found only a minor low-severity event emission issue that was already resolved, indicating Aave v3.6.0's security posture is robust with comprehensive protections against the analyzed attack vectors. |
Certora27-10-2025 - 03-11-2025 |
| This audit revealed no critical or high-severity vulnerabilities, with only one low-impact issue acknowledged but not fixed, indicating the Aave v3.6 codebase is relatively secure but contains minor gas optimizations and UX improvements. |
MixBytes28-10-2025 - 09-12-2025 |
| The audit found only minor low-severity issues that were already fixed, indicating a secure implementation of Aave v3.6 changes with no critical or high-risk vulnerabilities identified. |
Savant18-11-2025 |
| The audit revealed one medium-severity isolation mode bypass and several low-risk issues, most of which were promptly addressed by the Aave team, though one calculation flaw remains unfixed due to design trade-offs. |
Blackthorn24-10-2025 - 29-10-2025 |
| Blackthorn's security review of Aave v3.6 identified one critical liquidation vulnerability affecting eMode-only collaterals, along with two minor validation/documentation issues, all of which were resolved before deployment. |
MixBytes18-07-2025 |
| The audit found only low-severity issues primarily related to rounding optimizations, with 11 of 12 findings fixed before deployment, indicating a robust security posture for the Aave v3.5 upgrade. |
StErMi17-07-2025 |
| The audit revealed several edge-case rounding issues in Aave v3.5's mathematical precision refinements, with one medium severity finding and multiple low-risk issues, all of which have been addressed or acknowledged by the development team. |
ABDK Consulting17-07-2025 |
| The audit found no critical or high-risk vulnerabilities, with all moderate issues resolved and informational recommendations largely addressing code clarity and best practices rather than security threats. |
Certora12-06-2025 - 03-07-2025 |
| The audit found no critical or high severity issues, with all identified medium and low vulnerabilities successfully resolved before deployment. Formal verification confirmed the protocol maintains solvency across all core operations, providing strong assurance for the v3.5 upgrade's mathematical precision improvements. |
Blackthorn27-05-2025 - 08-06-2025 |
| The audit found no security vulnerabilities in Aave v3.4, indicating the upgrade changes were implemented securely with proper attention to potential attack surfaces. The clean security review provides confidence in the protocol's safety for deployment. |
Certora27-02-2025 - 11-06-2025 |
| The audit found no critical or high-severity vulnerabilities, with only minor low-severity and informational issues identified and addressed, indicating a robust security posture for the Aave v3.4 update. |
StErMi11-06-2025 |
| The audit successfully identified and resolved a critical flashloan vulnerability along with several lower-risk issues, ensuring the Aave v3.4 upgrade addresses security concerns before deployment with comprehensive fixes. |
Enigma30-04-2025 - 13-05-2025 |
| This audit demonstrates a clean security review with only minor informational issues that were promptly fixed, indicating robust code quality for the Aave v3.4 upgrade. No exploitable vulnerabilities were identified across the two-week engagement period. |
OtterSec24-06-2025 - 24-07-2025 |
| The audit identified no critical or high-risk vulnerabilities, with 2 medium and 3 low-severity issues, several of which were already patched, indicating generally sound security posture for the Aave Aptos V3 implementation. |
Spearbit18-06-2025 |
| The audit uncovered one critical high-severity rounding vulnerability that could enable token theft, but all reported issues were addressed by the Aave team prior to deployment. The comprehensive review provides reasonable assurance that the Aptos implementation aligns with Aave's security standards after remediation. |
Spearbit19-05-2025 - 21-05-2025 |
| The audit identified critical flaws in liquidation logic and interest rate calculations that were promptly fixed, ensuring the Aave Aptos upgrade addresses significant protocol risks before deployment while maintaining alignment with Solidity implementations. |
Spearbit18-06-2025 |
| The review found no critical or high severity vulnerabilities, with all medium risks resolved and the majority of lower-severity issues addressed, indicating a reasonably secure periphery implementation for Aave's Aptos deployment. |
Certora02-02-2025 - 07-04-2025 |
| The audit found no critical or high severity vulnerabilities, with all identified medium and low issues promptly fixed, indicating a robust security posture for this Aptos port of Aave V3. |
Certora02-02-2025 - 07-04-2025 |
| The audit found no critical vulnerabilities, with all identified issues promptly fixed by the development team, resulting in a secure implementation of Aave V3 on Aptos that maintains parity with the EVM version. |
Certora02-02-2025 - 07-04-2025 |
| The audit identified zero vulnerabilities and confirmed that the Aave Aptos Periphery implementation correctly translates the EVM version's logic to the Move language with proper security considerations. |
MixBytes05-02-2025 - 15-05-2025 |
| MixBytes found no critical or high severity vulnerabilities, with all identified medium and low issues subsequently fixed, indicating the Aave Umbrella codebase is securely designed with appropriate mitigations in place. |
Ackee Blockchain Security19-05-2025 |
| The audit uncovered one medium-severity design concern about share inflation in ERC-4626 vaults under repeated slashing, which was acknowledged but not fixed due to low likelihood, while all other findings were either fixed or accepted as minor. |
Oxorio29-01-2025 |
| The audit uncovered only minor code quality issues—three informational findings—with no security vulnerabilities, indicating the Aave v3.3.0 codebase is robust for the deficit tracking and liquidation optimization features reviewed. |
Sherlock22-01-2025 |
| The audit document conversion failed, producing unusable garbled text that prevents any assessment of findings or protocol safety implications. |
Certora24-10-2024 - 07-11-2024 |
| Certora's formal verification identified one medium severity bug in interest rate calculations related to new deficit accounting, plus an informational edge case in liquidation logic, both of which were promptly fixed by the Aave team. The audit provides confidence that the v3.3 upgrade's core deficit tracking and liquidation optimizations are securely implemented. |
StErMi22-10-2024 |
| The audit found several medium and low severity issues in Aave v3.3's deficit management and liquidation logic, all of which were addressed or acknowledged by the development team before deployment, resulting in a secure implementation of the new features. |
Enigma Dark30-09-2024 |
| The Aave v3.2 upgrade audit revealed only minor informational issues with no security vulnerabilities, indicating the code changes are safe for deployment after addressing the identified documentation and cleanup items. |
Certora08-09-2024 - 19-09-2024 |
| This formal verification audit confirmed the correctness of Aave's Liquid eModes implementation, finding no vulnerabilities through both automated formal proofs and manual code review. |
Pashov Audit Group05-09-2024 - 15-09-2024 |
| This audit found no security vulnerabilities in Aave V3.2's liquid eModes implementation, with only a minor gas optimization issue identified and resolved, indicating robust security design for the upgrade. |
Oxorio12-09-2024 |
| The audit identified moderate-severity configuration validation issues and informational code quality improvements, all of which were resolved before final verification, ensuring the Liquid eModes update meets security requirements for deployment. |
Certora25-08-2024 - 10-09-2024 |
| The formal verification audit found no security vulnerabilities in the stable rate removal changes, with only a minor informational issue about event references that was partially addressed for backward compatibility. |
Cantina02-06-2024 |
| The competition uncovered no critical or high severity issues, with only one medium and six low-risk findings, indicating a relatively secure codebase for Aave v3.1. The identified vulnerabilities were primarily edge-case logic errors and documentation gaps that do not threaten core protocol safety. |
MixBytes02-05-2024 |
| The audit found only low-severity issues, with two acknowledged and one fixed, concluding that the Aave v3.1 updates do not introduce new vulnerabilities and address several previous problems. |
Certora30-04-2024 |
| The audit found no critical or high‑severity vulnerabilities; the single informational issue was acknowledged, indicating that the Aave V3.1 upgrade is secure and well‑reviewed for production deployment. |
Sigma Prime23-10-2023 |
| The audit found no critical or high-severity vulnerabilities, with only one medium-severity issue that was resolved through additional safeguards. Overall, the GHO Stability Module contracts demonstrate robust security posture with effective mitigation of identified risks. |
SigmaPrime06-07-2023 |
| The audit revealed one high‑severity accounting error and several low‑risk issues, all of which were addressed or acknowledged by the development team, leaving no critical vulnerabilities unresolved at the time of the report. |
Sigma Prime13-06-2023 |
| Sigma Prime's review found no security vulnerabilities in the GhoSteward contract, with only two informational issues that were either resolved or acknowledged as intended behavior. |
Certora03-03-2024 - 14-03-2024 |
| The formal verification audit found no security vulnerabilities in the GhoStewardV2 contract, with all 14 specified safety properties proven correct against the implementation. |
ABDK01-03-2023 |
| The audit revealed numerous code quality and edge-case issues but no critical vulnerabilities, with all major findings addressed before deployment, indicating a generally secure implementation with room for minor optimizations. |
OpenZeppelin18-10-2022 - 24-10-2022 |
| The audit identified one medium-severity vulnerability in the discount lock mechanism but no critical or high-risk issues, with most findings being code quality improvements rather than security threats. OpenZeppelin provided monitoring recommendations for the decentralized GHO stablecoin system as it prepared for mainnet launch. |
OpenZeppelin11-07-2022 - 27-07-2022 |
| OpenZeppelin's audit found no critical or high-severity vulnerabilities, identifying two medium issues related to peg stabilization mechanics and loan recursion, along with several code-quality recommendations, most of which were addressed or acknowledged by the Aave team. |
SigmaPrime19-04-2023 |
| The audit found only minor informational issues, both of which were resolved or acknowledged, indicating the v3.0.1/3.0.2 upgrades maintain the protocol's security posture. |
Certora01-03-2023 |
| This focused audit of a specific zero-LTV transfer fix identified minor edge cases but confirmed the PR addresses the intended collateralization behavior correctly, maintaining protocol safety for the targeted scenario. |
SigmaPrime23-12-2022 |
| The audit found only minor informational issues that were resolved, confirming the Aave v3.0.1 update introduced no security vulnerabilities and maintained protocol safety. |
Certora17-11-2022 - 15-12-2022 |
| The formal verification successfully proved numerous safety properties across Aave V3.0.1's core contracts, identifying only one low-severity edge-case inconsistency that was determined to be operationally safe without requiring architectural changes. |
PeckShield22-12-2022 |
| This limited-scope audit of Aave V3.0.1 improvements found only minor coding practice issues, both promptly fixed, indicating robust security practices for incremental protocol updates. |
ABDK Consulting26-01-2022 |
| This audit uncovered several critical and major security issues in Aave V3's core logic, though the majority of findings were code quality improvements. The protocol team needed to address the critical flaws before deployment to ensure safe operation. |
SigmaPrime27-01-2022 |
| The audit identified three low-severity issues and nine informational recommendations, all of which were resolved or acknowledged by the development team, indicating a thorough security review with addressed findings. |
Certora12-11-2021 - 24-01-2022 |
| The formal verification identified and resolved one critical vulnerability plus several high/medium severity issues before launch, providing strong mathematical guarantees for core tokenization and configuration logic, though with some limitations on loop coverage and external call side-effects. |
PeckShield10-01-2022 |
| The audit revealed several high-severity logic bugs and a reentrancy risk, all of which were addressed before deployment, indicating a responsible security process but underscoring the complexity of Aave V3's new features. |
Trail of Bits25-10-2021 - 24-11-2021 |
| The audit identified critical isolation mode and eMode vulnerabilities that could allow circumvention of collateral restrictions and improper liquidations, but all high-severity issues were addressed in subsequent fixes. The comprehensive review provides confidence in the security of Aave V3's core lending mechanics when implemented with the recommended corrections. |
OpenZeppelin01-11-2021 |
| This comprehensive audit by OpenZeppelin uncovered several critical vulnerabilities in Aave V3's core logic, particularly around debt token minting and eMode category handling, all of which were addressed before deployment. The thorough review with numerous fixes and acknowledgments provided strong security validation for the protocol's V3 upgrade. |
PeckShield16-03-2021 |
| This audit found only minor informational coding practice recommendations, with no security vulnerabilities identified, indicating the Aave V2 light deployment functionality was securely implemented and ready for mainnet deployment. |
SigmaPrime01-01-2021 |
| The audit uncovered one high-severity logic flaw that could permit unauthorized stable borrowing, which was promptly resolved before mainnet deployment, along with several lower-risk and informational issues that were acknowledged or fixed, indicating generally sound security practices with timely remediation. |
Consensys08-09-2020 - 09-10-2020 |
| The audit revealed no critical or high-risk vulnerabilities, with medium-severity issues addressed before deployment. Aave V2's security posture appears solid post-mitigation, though minor recommendations remain for code quality and edge-case handling. |
Certik28-09-2020 - 02-12-2020 |
| The audit revealed no serious vulnerabilities, with only minor and informational issues found, indicating a well-reviewed and secure codebase for Aave Protocol V2's launch. |
PeckShield03-12-2020 |
| The audit revealed one critical vulnerability that could lead to fund loss, along with multiple high and medium severity issues affecting interest rate calculations and validation logic. All identified issues were addressed or acknowledged by the development team prior to the final report. |
MixBytes16-09-2020 - 03-12-2020 |
| The audit found no critical vulnerabilities but identified several major logic issues and numerous warnings, indicating a codebase that was still maturing but generally secure with the Aave team actively addressing findings during the audit period. |
Legal
Legal form
Aave Labs (legal form not explicitly disclosed in official sources)
Registration jurisdiction
Cayman Islands
Status and notes
Privacy Policy and Terms of Service reference Cayman Islands Data Protection Act, arbitration in Cayman Islands, and governing law of Cayman Islands. Services operated by "Aave Labs" (contact: [email protected]). Legal form (e.g., foundation, company) not explicitly stated in reviewed official documents. Aave Labs notes it does not control or operate the decentralized Aave Protocol itself.