Aave Labs outlines layered security plan for V4 after $1.5 million audit program

Aave Labs has published a detailed blueprint for securing the next version of the DeFi’s largest lending protocol, outlining a year-long audit and verification process for Aave V4 and pledging to extend those practices across future development.

In a governance forum post released this week, the firm described the V4 effort as a "security-first framework," where smart contract protections were embedded from the earliest architectural stages rather than treated as a final pre-launch audit.

The program combined formal verification, manual audits, invariant testing, fuzzing, and a public security contest, totaling roughly 345 cumulative days of review across internal teams, external auditors, and independent researchers.

The work was funded through a $1.5 million security budget ratified by the Aave DAO, per details shared.

Key commitments

Aave Labs said the experience has led it to adopt five long-term security commitments for future protocol development.

Embedding formal verification from the start of development cycles, maintaining layered security methodologies that combine multiple auditing techniques, running continuous verification alongside development, launching an ongoing bug bounty program, and further developing AI-assisted smart contract scanning were all listed as key commitments moving forward.

Formal verification, in particular, played a central role in the V4 process, the Labs said. Verification firm Certora worked alongside Aave developers from the earliest design stages, helping shape the architecture and identify vulnerabilities before the code entered formal audit rounds.

Beyond formal verification, the protocol also underwent multiple manual audit rounds involving firms including ChainSecurity, Trail of Bits, and Blackthorn, as well as independent security researchers. A separate invariant testing suite was developed using fuzzing tools to test the behavior of core components such as liquidity accounting, liquidation logic, and interest rate models.

The protocol’s codebase was also exposed to a six-week public security contest hosted on Sherlock between December 2025 and January 2026. More than 900 verified participants submitted over 950 findings during the contest, though the program reported no critical or high-severity vulnerabilities.

Aave Labs said the V4 codebase itself was intentionally designed to be smaller and more modular than its predecessor, following the protocol’s hub-and-spoke architecture redesign, allowing for more targeted audits and simplified security review.

The V4 security model also incorporated feedback from risk service providers and integrators who build applications on top of the lending protocol. Their input expanded the threat model to include not only direct user interactions but also the security assumptions of integrated systems that rely on Aave liquidity.

Aave DAO conflict

Aave Labs’ security disclosure arrives during a period of internal turbulence for the Aave ecosystem. Governance disputes have intensified in recent months over funding allocations, protocol direction, and the role of key contributors.

Earlier this year, BGD Labs — a long-time technical contributor responsible for major parts of the protocol’s infrastructure — announced plans to cease Aave-related work after roughly four years of involvement.

More recently, ACI founder Marc Zeller said the Aave Chan Initiative, another major governance participant, plans to step away from the protocol in July amid escalating tensions between contributors.

Those developments followed a contentious governance debate over a proposal known as "Aave will win," which outlined revenue changes and broader plans for the upcoming V4 upgrade. The proposal cleared a temperature check vote with 52.6% support, highlighting divisions within the DAO over the protocol’s future direction.

Aave is the largest onchain lending protocol, and among the top generators of monthly DeFi fees, according to The Block’s data dashboard.