Security
Peace of mind by design.
Governed by code, not companies.
Unlike traditional platforms where a single company controls every parameter, Aave's security is enforced through on-chain governance. Every change must pass community vote and survive mandatory time delays before execution.
- Forum reviewTEMP CHECK and ARFC each spend at least 5 days in the governance forum before advancing.5+ days each
- Snapshot votesTEMP CHECK and ARFC each move to 4-day off-chain Snapshot votes before an AIP is created.4 days each
- AIP on-chain voteThe AIP enters a fixed on-chain cycle. Voting opens 1 day after creation and runs for 3 days.5-day cycle, 3-day vote
- DAO monitoring + timelockDAO service providers monitor the process. Passed AIPs enter a 1-day timelock after voting closes, during which the 5/9 Guardian can veto a malicious proposal.5/9 Guardian veto
- ExecutionExecution is enabled on day 5, usually via Chainlink automation. Any address can trigger it.
Incident Response & Disclosure.
What happens when something goes wrong — and how fast. Public commitments at every step, ending with a post-mortem on the governance forum.
- DetectContinuous monitoring covers onchain activity, offchain infrastructure, and emerging risk signals 24/7.
- TriageSecurity and risk teams triage issues with Guardian responders ready.
- RemediateSpecialists fix it; audit firms verify it.
- DiscloseEvery incident ends in a public post-mortem.
- DetectContinuous monitoring covers onchain activity, offchain infrastructure, and emerging risk signals 24/7.
- TriageSecurity and risk teams triage issues with Guardian responders ready.
- RemediateSpecialists fix it; audit firms verify it.
- DiscloseEvery incident ends in a public post-mortem.
Bug Bounties
Aave splits its bug bounty across specialist platforms — each program covers a different part of the protocol. Find the one that matches what you found and submit.
Security
Assessment Brief
A comprehensive overview of Aave's security posture, governance controls, audit history, and incident response.

Compliance & Auditing
View Aave's compliance certifications and independently verified reports on our security, availability, and confidentiality controls.
SOC-2 Type II
Mar 2026
Collaborative Audit Report
Sherlock · May 14 2026
Formal Verification - Tokenization Spoke
Certora · Apr 13 2026
Formal Verification - Hub
Certora · Mar 09 2026
Formal Verification - Libraries
Certora · Mar 09 2026
Formal Verification - Spoke
Certora · Mar 09 2026
Security Audit
ChainSecurity · Feb 19 2026
Security Audit - Tokenization Spoke
ChainSecurity · Feb 10 2026
Security Review
Trail of Bits · Feb 10 2026
Collaborative Audit Report
Sherlock · Feb 05 2026
Security Review
Blackthorn · Oct 20 2025
Stable Vault Report
Josselin Feist · Jul 2026
Stable Vault Report - Extension 1
Josselin Feist · Jul 2026
Stable Vault Report - Extension 2
Josselin Feist · Jul 2026
Stable Vault Report - Extension 3
Josselin Feist · Jul 2026
Security Assessment - a.DI
Certora · Jun 2026
Code Assessment - Stable Vaults
ChainSecurity · May 2026
Security Assessment - Stable Vaults
Certora · May 2026
Security Assessment - Stable Vaults
Certora · Apr 2026
Code Assessment - Stable Vaults
ChainSecurity · Mar 2026
Security Assessment - Stable Vaults
Certora · Jan 2026
Security Audit - ERC-6900 Modules
Quantstamp · Apr 17 2026
Security Assessment - Web Wallet
Zellic · Mar 11 2025
Security Assessment - Web Wallet
Zellic · Mar 8 2024
Security Assessment - iOS App
Zellic · Feb 28 2024
Security Assessment - Web Application
Zellic · Nov 17 2023
Security Assessment - Abstracted Account
Zellic · Feb 22 2023
Security Review
Enigma Dark · Mar 31 2026
Supervised Security Review
Savant · Mar 30 2026
Security Assessment & Formal Verification Report
Certora · Mar 29 2026
Security Review
Pashov · Mar 27 2026
Security Audit Report
MixBytes · Mar 26 2026
Audit Contest Report
Sherlock · Mar 26 2026
Security Review
Pashov · Nov 29 2025
Security Audit Report - V3.1-V3.3
OtterSec · Aug 8 2025
Security Audit Report - Core V3.0.2
Spearbit · Jun 18 2025
Security Audit Report - Core V3.1-V3.3
Spearbit · Jun 18 2025
Security Audit Report - Periphery V3.0.2
Spearbit · Jun 18 2025
Security Assessment & Formal Verification Report - Core V3.0.2
Certora · Apr 2025
Security Assessment & Formal Verification Report - Core V3.1-V3.3
Certora · Apr 2025
Security Assessment & Formal Verification Report - Periphery V3.0.2
Certora · Apr 2025
Security Review
Enigma Dark · Sep 30 2024
Security Assessment & Formal Verification Report - Liquid eModes
Certora · Sep 19 2024
Security Review
Pashov · Sep 15 2024
Security Audit Report - Liquid eModes
Oxorio · Sep 12 2024
Security Assessment & Formal Verification Report - Stable Rate Removal
Certora · Sep 10 2024
GHO Stability Module Contract Review
Sigma Prime · Oct 23 2023
GHO Smart Contract Security Assessment Report
Sigma Prime · Jul 06 2023
GHO Steward Contract Review
Sigma Prime · Jun 13 2023
GHO Steward Security Assessment & Formal Verification Report
Certora · Mar 14 2023
GHO Smart Contract Audit
ABDK · Mar 01 2023
GHO Audit V2
OpenZeppelin · Nov 10 2022
GHO Audit
OpenZeppelin · Aug 12 2022
Smart Contract Audit Report
ABDK · Jan 27 2022
Smart Contract Security Assessment Report
Sigma Prime · Jan 27 2022
Formal Verification of Aave Protocol V3
Certora · Nov 12 2021 - Jan 24 2022
Smart Contract Audit Report
PeckShield · Jan 14 2022
Security Assessment Report
Trail of Bits · Jan 7 2022
Smart Contract Audit Report
OpenZeppelin · Jan 11 2021
Light Deployment Smart Contract Audit Report
PeckShield · Mar 16 2021
Smart Contract Security Assessment
Sigma Prime · Jan 2021
Smart Contract Audit Report
Consensys Diligence · Sep 2020
Smart Contract Security Assessment
CertiK · Sep 2020
Smart Contract Audit Report
PeckShield · Sep 2020
Smart Contract Audit Report
MixBytes · Sep 2020
Client Application
DDOS Protection
Advanced cloud-based DDoS protection services are used to identify and neutralize threats before they reach interface infrastructure.
Domain Protection
To safeguard the domain, DNSSEC is used to protect against DNS spoofing and ensure domain name requests are securely authenticated.
Intrusion Detection
The front-end employs state-of-the-art intrusion detection systems (IDS) that monitor for suspicious activities and potential threats, ensuring immediate detection and response to protect user data.
Modification Detection
Content Security Policy and Subresource Integrity checks are used to detect and prevent unauthorized modifications to front-end code.
IPFS Naming Records
Each commit of the Aave Interface codebase is automatically deployed to IPFS. The app.aave.com IPNS pointer and domain text records are continuously updated to reflect latest deployment hash using the DNSLink standard.
Security Insights.
Deep dives into how Aave approaches security, risk management, and protocol resilience — hand-picked for institutional readers.
Aave Labs Achieves SOC 2 Type II Attestation Across Security, Availability, and Confidentiality
Aave Labs development and operational controls have been independently verified to meet a consistent standard of rigor.
Security by Design: Aave V4 Governance Security Update
How Aave V4 achieved zero high-severity findings across 345 days of security review, formal verification, and a 900-participant public contest.
How Aave Liquidations Perform Under Volatile Conditions
A data-driven look at Aave's $4.6 billion in historical liquidations, demonstrating the protocol's resilience across multiple market cycles and stress events.
Fire Drills
Regular simulated-incident exercises that stress-test the response process end-to-end — in public.
- Annual large scale fire drill simulating high impact scenariosPassed
- Quarterly emergency protocol guardian drillsPassed
Dig Deeper
Code, governance, and documentation are all in the open.


