Aave V4: 1 year of auditing and no critical vulnerabilities found

Share your love

Cryptocurrencies
Foto de Coinhako na Unsplash

While traditional banks hide their internal processes behind annual reports and regulators paid by the sector itself, Aave Labs published last week detailed each stage of the security program for its new protocol - auditors hired, methodologies used, results obtained and how much money was spent.

What is Aave V4

For those who don't know: Aave is the world's largest decentralized lending protocol. It works like a bank, but without a bank - anyone can deposit crypto-assets to earn interest or take out loans using their assets as collateral, all executed by smart contracts on the blockchain, without intermediaries. We talked about it in the article “Where to invest your cryptocurrencies to generate income?

Aave V4 is the next generation of this protocol, rebuilt with an architecture called hub-and-spoke, which separates the central liquidity management from the individual operating modules. The result is a code that is smaller, more modular and, as the security program has shown, cleaner than any previous version.

345 days of review, US$ 1.5 million invested

The Aave V4 security program began in March 2025, when the company Certora was integrated into the team from the start of development - not just called in at the end to “check the code”, as is common. The logic is simple: architectural problems are much cheaper to fix when the system is still being designed than after the code is ready.

Over the course of almost 12 months, the protocol went through:

  • Formal verification with Certora, which uses mathematics to prove code properties, not just test them
  • Four rounds of manual auditing with companies such as ChainSecurity, Trail of Bits and Blackthorn, as well as independent researchers
  • Testing invariants and fuzzing - tools that try to break the system in random and unexpected ways
  • A public security contest on the Sherlock platform, with more than 900 verified researchers submitting more than 950 findings over six weeks

The result: no critical vulnerabilities found at any stage of the program. The public reports by Trail of Bits, Blackthorn and ChainSecurity confirm this.

The total budget approved by the DAO was US$ 1.5 million. The program was completed under this amount - and the remaining balance will be returned to the DAO.

Why this matters to DeFi users

Exploits in DeFi protocols are the biggest source of losses in the sector. In 2024, hundreds of millions of dollars were drained from protocols that were either poorly audited or simply didn't invest enough in security before launch.

Today, Aave did what is expected of a good DeFi protocol: parallel and independent audits, each team starting from different premises to maximize the chance of finding something that another team would have missed. Two independent sets of invariant tests, developed by separate teams without prior coordination. Formal verification that runs continuously alongside development, not just at the end.

An eye-catching detail in the original document: researchers with early access to the code described the repository as the cleanest they had ever seen before an audit, citing careful design and consistent application of best practices. That's not branding - it's public feedback from security professionals paid to be skeptical.

Decentralized governance in operation

It's worth highlighting one aspect that goes unnoticed: it wasn't a CEO or a board of directors who approved the US$ 1.5 million budget. It was the Aave DAO - the holders of the AAVE token, by voting on a public proposal.

This means that the decision on how much to spend on security, which companies to hire and how to disclose the results was made collectively and transparently by those who have money at risk. The document published in the governance forum is the accountability for this decision.

It's the opposite model to that of a bank that outsources its auditing to a firm chosen by itself, publishes a two-page summary in the annual report and calls it transparency.

What's next

Aave Labs has listed five commitments that it will carry forward into the next developments: maintain formal verification from the start of any new protocol, continue with layered methodologies, maintain continuous security coverage even after launch, implement a permanent bug bounty and deepen the use of AI-assisted auditing tools - as a complement to, not a substitute for, human review.

The release date for Aave V4 has not yet been announced, but the security program is closed. The protocol is ready from a technical point of view.

For those who use DeFi - or are considering it - Aave V4 is one of the best-documented cases of how to build decentralized financial infrastructure responsibly. It's no guarantee that nothing will go wrong. But it is the highest standard available in the sector today.

Share:

Newsletter Updates

Enter your e-mail address below to receive news

Related Posts

Trending now

Bitcoin wallet
What is the best Bitcoin wallet for beginners?
Bitcoin Brazil
Central Bank regulation worries crypto market in Brazil
Ouro
Bancos Centrais estão comprando mais ouro de baixo dos panos, sugere Goldman Sachs
Dollar
The Loss of Financial Sovereignty: How Governments Seized Control of the Currency

Stay informed and not overwhelmed, subscribe now!