TLDR
- Aave Labs reports about 345 cumulative review days across auditors and researchers.
- The Aave DAO funded the V4 security program with a $1.5 million budget.
- A six-week Sherlock contest drew 900+ participants and 950+ findings.
- Aave Labs listed five long-term security practices, including a permanent bug bounty.
Aave Labs has outlined a layered smart contract security plan for the Aave V4 upgrade. The firm said the work followed a $1.5 million audit program approved by the Aave DAO. In a governance forum post shared this week, Aave Labs called V4 a “security-first framework.” It said protections were built during design, and not saved for a late audit phase.
Year-long review paired audits with verification and testing
Aave Labs said the program combined several methods across internal and external teams. It listed formal verification, manual audits, invariant testing, fuzzing, and a public contest. The firm said the combined effort totaled about 345 cumulative days of review. That figure covered Aave Labs teams, audit firms, and independent security researchers.
Formal verification played a central role in the V4 process, according to the post.
Aave Labs said Certora worked with developers from early design stages.
The firm said that approach helped shape the architecture before formal audit rounds. It also aimed to find issues while contracts were still changing. Aave Labs also cited multiple manual audit rounds for the V4 codebase. It named ChainSecurity, Trail of Bits, and Blackthorn among the audit firms involved.
Five long-term security commitments set out for future releases
Aave Labs said the V4 process led to five security commitments for future development. It said it will embed formal verification from the start of each cycle. It also said it will keep layered security methods that mix different review techniques. The firm added that it will run continuous verification alongside active development.
Aave Labs also committed to an ongoing bug bounty program. It also said it will further develop AI-assisted smart contract scanning tools. The post said invariant testing and fuzzing were used to check core protocol behavior. It named liquidity accounting, liquidation logic, and interest rate models as focus areas.
Aave Labs also said V4 was designed to be smaller and more modular than V3. It linked that choice to a hub-and-spoke redesign meant to simplify targeted reviews. The firm said it also gathered feedback from risk providers and protocol integrators. It said the threat model included assumptions made by systems built on Aave liquidity.
Security update arrives during Aave DAO disputes and contributor exits
The security disclosure comes during a period of tension inside the Aave ecosystem. Recent disputes have focused on funding, protocol direction, and contributor roles. Earlier in 2026, BGD Labs said it plans to stop Aave-related work. BGD Labs has been a long-time technical contributor to Aave infrastructure.
Marc Zeller also said the Aave Chan Initiative plans to step back in July. Zeller is the ACI founder and ACI has been active in Aave governance. The moves followed debate around a proposal called “Aave will win.” The proposal described revenue changes and broader plans tied to the V4 upgrade.
Aave governance data cited in the report showed a narrow split on the direction. The proposal passed a temperature check vote with 52.6% support. Aave remains one of the largest onchain lending protocols by activity. It is also a top generator of DeFi fees, based on third-party dashboard data.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
