Security
Aave prioritizes security above all else. The protocol has undergone extensive audits by leading security firms and maintains a comprehensive bug bounty program to ensure the safety of user funds.
Smart Contract Audits
Aave's smart contracts have been rigorously audited by the most respected security firms in the blockchain industry. Multiple independent audits help ensure comprehensive coverage and identification of potential vulnerabilities.
Audit Reports
All audit reports are publicly available for transparency. Key audits include:
- Aave v3 Core Protocol - Audited by Trail of Bits, OpenZeppelin, SigmaPrime, and ABDK
- Aave v3 Periphery - Audited by OpenZeppelin and SigmaPrime
- GHO Stablecoin - Audited by OpenZeppelin, SigmaPrime, and Certora
- Safety Module - Audited by Certora with formal verification
- Governance v3 - Audited by BGD Labs and Certora
View all audit reports on the Aave GitHub repository.
Bug Bounty Program
Aave maintains one of the largest bug bounty programs in DeFi to incentivize responsible disclosure of security vulnerabilities.
Maximum Reward
Up to $1,000,000 for critical vulnerabilities that could result in loss of user funds.
Scope
Core protocol contracts, governance, periphery contracts, and official deployments.
Response Time
Security team acknowledges reports within 24 hours and provides updates regularly.
Severity Levels & Rewards
| Severity | Description | Reward Range |
|---|---|---|
| Critical | Direct theft of funds, permanent freezing of funds | $100,000 - $1,000,000 |
| High | Temporary freezing, theft requiring specific conditions | $25,000 - $100,000 |
| Medium | Griefing, denial of service, minor fund impact | $5,000 - $25,000 |
| Low | Informational, best practice violations | $1,000 - $5,000 |
Submit bug reports through Immunefi or directly to the Aave security team.
Security Best Practices for Users
Protect yourself while using Aave and other DeFi protocols by following these essential security practices.
Use Hardware Wallets
Store significant funds in hardware wallets like Ledger or Trezor for maximum security.
Verify URLs
Always access Aave through the official URL: app.aave.com. Bookmark it for safety.
Check Transactions
Review all transaction details on your wallet before signing any transaction.
Enable 2FA
Use two-factor authentication on all exchange accounts and email addresses.
Secure Seed Phrases
Never share seed phrases. Store them offline in multiple secure locations.
Start Small
Test with small amounts first. Understand the protocol before committing large funds.
How to Verify Contract Addresses
Always verify you're interacting with official Aave contracts to avoid scams and phishing attempts.
Verification Steps
- Check Official Sources: Get contract addresses only from docs.aave.com or the official GitHub repository.
- Verify on Block Explorer: Check that the contract is verified on Etherscan/block explorer and matches the source code.
- Cross-Reference: Compare addresses across multiple official sources (documentation, GitHub, governance proposals).
- Check Deployment History: Legitimate contracts have transparent deployment history through governance.
Official Contract Repositories
- Aave v3 Core Contracts
- Aave v3 Periphery
- GHO Stablecoin
- Aave Address Book - Complete list of deployed addresses
Phishing and Scam Prevention
The DeFi space attracts scammers. Learn to identify and avoid common threats.
Common Scam Types
- Fake Websites: Lookalike domains that mimic Aave's interface to steal funds or seed phrases.
- Fake Support: Impersonators on social media or Discord claiming to be Aave support asking for private keys.
- Phishing Emails: Emails claiming urgent action needed with malicious links.
- Fake Tokens: Airdropped tokens that require interaction with malicious contracts.
- Social Engineering: Attackers building trust before requesting sensitive information.
Protection Tips
- Bookmark official Aave URLs and only access through bookmarks
- Never click links in unsolicited emails or DMs
- Verify social media accounts through official channels
- Use browser extensions like MetaMask's phishing detector
- Don't interact with unknown tokens in your wallet
- Be skeptical of "too good to be true" offers
Emergency Procedures
Aave has multiple safeguards in place to protect the protocol and user funds in case of emergencies.
Protocol Safeguards
Guardian Multisig
Emergency admin can pause markets and freeze assets within minutes if threats are detected.
Risk Parameters
Conservative parameters limit potential losses from any single asset or market condition.
Isolation Mode
New assets are isolated to limit their impact on the broader protocol.
If You Suspect a Compromise
- Don't Panic: Acting hastily can worsen the situation.
- Revoke Approvals: Use revoke.cash to revoke token approvals if you suspect wallet compromise.
- Move Funds: Transfer remaining funds to a secure wallet if your wallet may be compromised.
- Report: Report suspicious activity to the Aave team through official Discord channels.
- Document: Keep records of any suspicious transactions for potential recovery efforts.
Emergency Contacts
- Security Vulnerabilities: security@aave.com or Immunefi
- Discord: #security channel in official Aave Discord
- Governance Forum: For protocol-level concerns
Continuous Security
Security is an ongoing process at Aave, not a one-time effort.
- Formal Verification: Critical contracts undergo mathematical proofs of correctness
- Continuous Monitoring: Real-time monitoring of protocol activity for anomalies
- Regular Audits: New features and updates undergo fresh security reviews
- Community Review: Open-source code allows community security researchers to review
- Incident Response: Documented procedures for handling potential security events