Security

Peace of mind by design.

6+ Years
Of uninterrupted operation.
$4.4B+
Liquidated safely, zero bad debt.
65
Audits & AI-assisted reviews.
$148.41M
Umbrella insolvency backstop.
$5M+
Live bug bounty rewards.
SOC 2 Type 2
Annual security audit.

Governed by code, not companies.

Unlike traditional platforms where a single company controls every parameter, Aave's security is enforced through on-chain governance. Every change must pass community vote and survive mandatory time delays before execution.

Onchain voting
Every change is an AIP, voted on-chain by AAVE holders. No entity, not even Aave Labs, can act alone.

Mandatory timelocks
Approved proposals wait before execution: 1 day for standard changes, 7 days for governance changes.

Community Guardian
A 5-of-9 community multisig can veto malicious proposals. A safeguard, not a control.

Full transparency
Every proposal, vote, and execution is on-chain. Security reports ship on GitHub with each AIP.
Proposal lifecycle
Live Onchain
  1. Forum review
    TEMP CHECK and ARFC each spend at least 5 days in the governance forum before advancing.
    5+ days each
  2. Snapshot votes
    TEMP CHECK and ARFC each move to 4-day off-chain Snapshot votes before an AIP is created.
    4 days each
  3. AIP on-chain vote
    The AIP enters a fixed on-chain cycle. Voting opens 1 day after creation and runs for 3 days.
    5-day cycle, 3-day vote
  4. DAO monitoring + timelock
    DAO service providers monitor the process. Passed AIPs enter a 1-day timelock after voting closes, during which the 5/9 Guardian can veto a malicious proposal.
    5/9 Guardian veto
  5. Execution
    Execution is enabled on day 5, usually via Chainlink automation. Any address can trigger it.

Incident Response & Disclosure.

What happens when something goes wrong — and how fast. Public commitments at every step, ending with a post-mortem on the governance forum.

  1. Detect
    Continuous monitoring covers onchain activity, offchain infrastructure, and emerging risk signals 24/7.
  2. Triage
    Security and risk teams triage issues with Guardian responders ready.
  3. Remediate
    Specialists fix it; audit firms verify it.
  4. Disclose
    Every incident ends in a public post-mortem.
  1. Detect
    Continuous monitoring covers onchain activity, offchain infrastructure, and emerging risk signals 24/7.
  2. Triage
    Security and risk teams triage issues with Guardian responders ready.
  3. Remediate
    Specialists fix it; audit firms verify it.
  4. Disclose
    Every incident ends in a public post-mortem.

Bug Bounties

Aave splits its bug bounty across specialist platforms — each program covers a different part of the protocol. Find the one that matches what you found and submit.

Security
Assessment Brief

A comprehensive overview of Aave's security posture, governance controls, audit history, and incident response.

Download the PDF
branded shields for security assessment brief

Compliance & Auditing

View Aave's compliance certifications and independently verified reports on our security, availability, and confidentiality controls.

SOC-2 Type II

Mar 2026

Attestation letter can be supplied on demand

Client Application

DDOS Protection

Advanced cloud-based DDoS protection services are used to identify and neutralize threats before they reach interface infrastructure.

Domain Protection

To safeguard the domain, DNSSEC is used to protect against DNS spoofing and ensure domain name requests are securely authenticated.

Intrusion Detection

The front-end employs state-of-the-art intrusion detection systems (IDS) that monitor for suspicious activities and potential threats, ensuring immediate detection and response to protect user data.

Modification Detection

Content Security Policy and Subresource Integrity checks are used to detect and prevent unauthorized modifications to front-end code.

IPFS Naming Records

Each commit of the Aave Interface codebase is automatically deployed to IPFS. The app.aave.com IPNS pointer and domain text records are continuously updated to reflect latest deployment hash using the DNSLink standard.


Fire Drills

Regular simulated-incident exercises that stress-test the response process end-to-end — in public.

  • Annual large scale fire drill simulating high impact scenarios
    Passed
  • Quarterly emergency protocol guardian drills
    Passed

Dig Deeper

Code, governance, and documentation are all in the open.

ronnie working on a laptop with aave logo on it
GitHub
Protocol code, audits, and AIPs.
ronnie holding a scratchpad and a pen hanging on the ear
Learn center
Protocol code, audits, and AIPs.
ronnie playing with blocks
Documentation
Architecture, contracts, integration.

FAQs

Yes. Aave publishes independent audit reports, security reviews, and formal verification reports across protocol versions.
Audit reports are available on the Aave Security page. Deployed contracts are listed in the Aave docs and the Aave Address Book.
Smart contract risk cannot be eliminated. Aave mitigates it through open-source code, independent audits, formal verification, governance review, and bug bounties.
Protocol changes are governed by the Aave DAO through onchain proposals, voting, timelocks, and execution.
No central party can freeze or alter individual user positions. Certain reserve-level controls may be used only for protocol risk management.
Emergency roles can pause or limit specific protocol reserves in defined cases, but they cannot seize funds or modify individual positions.
Collateral risk is managed through governance-approved parameters like LTVs, liquidation thresholds, supply caps, borrow caps, and ongoing risk monitoring.
New assets go through Aave Governance, including community review, risk assessment, oracle review, parameter setting, and onchain approval. The Aave Risk Framework lays out the various parameters.