aave.com
Summary
Aave V3 is the largest decentralized lending protocol with ~$12.5B TVL across 22 chains, anchored by mature DAO governance, continuous tier-1 audits, and zero verified core-contract exploits. The overall risk score is moderate at 4.6/10, but that headline understates the real exposure: dependency failures — oracle misconfiguration and unverified bridged collateral — have caused more damage than any smart-contract bug, including an ongoing ~$124–230M rsETH bad-debt crisis and $27.8M in wrongful CAPO liquidations in early 2026.
Trust Assumptions
Users must trust that Chainlink aggregators and CAPO/custom oracle feeds return accurate, timely prices — AaveOracle does not enforce staleness checks. They must trust that governance will not list bridged collateral without verifying upstream bridge security, that the 5/9 Governance Guardian and 2/2 Edge Risk Oracle multisigs will not be compromised or misused, and that GHO facilitator bucket caps and GSM backstops remain adequately funded as supply grows toward ~600M tokens. Cross-chain deployments additionally require trust in CCIP bridge integrity, per-chain ACL admin executors, and timely oracle/sentinel configuration on each of 22 chains.
What Could Go Wrong
A third-party bridge exploit could again mint unbacked collateral tokens — as with rsETH (~$124–230M bad debt, ongoing) — leaving Aave lenders holding the loss if liquidations cannot close underwater positions. An operational oracle failure — stale Chainlink data, CAPO ratio drift, or a bad Edge Risk Oracle update — could trigger mass wrongful liquidations before users can react, as demonstrated by the $27.8M wstETH CAPO incident. A compromised Governance Guardian (5/9 multisig) could cancel legitimate governance proposals or manipulate cross-chain payload delivery, while a malicious governance vote could upgrade Pool implementations, add risky collateral, or expand GHO facilitator minting without adequate collateral backing.
Recommendation
Aave V3 is suitable as a core lending allocation for blue-chip assets on Ethereum mainnet, given its governance maturity, audit depth, and unmatched operational history — but size positions with the assumption that dependency failures, not core contract bugs, are the primary loss vector. Avoid borrowing against bridged or exotic collateral, prefer Ethereum over newer chain deployments, and actively monitor the rsETH bad-debt resolution, oracle health dashboards, and governance forum for new asset listings. Integrators should stick to core Pool interfaces and treat all periphery adapters as unaudited until independently verified.
Key Findings (30)
Analysis Sections
Aave V3 is DAO-governed via Governance V3 on Ethereum: AAVE/stkAAVE on-chain voting through GovernanceCore, payload registration and timelocked execution via PayloadsController, and immutable Executor contracts (Level 1 short / Level 2 long). On-chain verification confirms no core contract owner() resolves to an EOA. Ethereum PoolAddressesProvider owner and ACL admin both equal Executor Lvl 1 (0x5300…192A), which executes only through PayloadsController after vote passage and queue delay. Governance Guardian is a verified 5/9 Gnosis Safe (0xCe52…6710) with payload-cancellation and cross-chain emergency roles. L2 markets use per-chain Executor/PayloadsController pairs (not EOAs) fed by CrossChainForwarders; additional cross-chain delivery latency applies.
Findings (7)
PayloadsController.guardian() resolves to Governance Guardian 0xCe52ab41C40575B072A18C9700091Ccbe4A06710 — verified 5/9 Gnosis Safe (9 owners, threshold 5). GranularGuardian (0x4457…51d4) grants SOLVE_EMERGENCY_ROLE to this Safe and RETRY_ROLE to 0xb812…A9CF; DEFAULT_ADMIN_ROLE held by Executor Lvl 1. CrossChainController (0xEd42…b0e1) owner=Executor Lvl 1, guardian=GranularGuardian. Guardians can cancel malicious/erroneous proposals and intervene in cross-chain delivery failures — appropriate for safety but introduces trusted-actor veto risk.
L2 deployments do not share Ethereum's Executor address; each chain has its own ACL admin / PayloadsController executor pair governed via CrossChainForwarders from Ethereum. Verified: Arbitrum ACL admin 0xFF11…6327 owner 0x8964…637C (circular with PayloadsController); Optimism ACL 0x746c…09bf; Base ACL 0x9390…257a — all contract-owned, not EOAs. Cross-chain payload delivery introduces additional delay and dependency on bridge/CrossChainController infrastructure beyond Ethereum vote + timelock.
PoolAddressesProvider (proxy admin for Pool, PoolConfigurator, ACLManager implementations) is onlyOwner-controlled; owner is Executor Lvl 1. Executor.executeTransaction() is onlyOwner and owner is PayloadsController — so implementation upgrades require a passed governance proposal, PayloadsController queue delay, and permissionless execution. GovernanceCore and PayloadsController are transparent upgradeable proxies; recursive upgrade authority resolves to the strictest (Level 2) executor path for proxy-admin migrations per migration docs.
Documentation claims Aave DAO governance; on-chain owner() checks confirm contract-based control. Ethereum: PoolAddressesProvider.owner() → Executor Lvl 1; Executor Lvl 1.owner() → PayloadsController; PayloadsController.owner() → Executor Lvl 1 (designed circular custody). GovernanceCore.owner() → Executor Lvl 1. getACLAdmin() → Executor Lvl 1. No bare EOA owns core upgrade or ACL paths.
Aave uses PayloadsController queue delays (not OpenZeppelin TimelockController). On-chain GovernanceCore.getVotingConfig: Level 1 — 86,400s cooldown, 259,200s (3d) voting; Level 2 — 86,400s cooldown, 864,000s (10d) voting. Documented executor execution delays: Level 1 ~86,400s (1 day), Level 2 ~604,800s (7 days), plus ~2 days cross-chain delivery for L2 payloads. Payload execution is permissionless after timelock expiry.
ACLManager DEFAULT_ADMIN_ROLE is held by the chain's ACL admin address from PoolAddressesProvider. On Ethereum ACL admin equals Executor Lvl 1, which grants/revokes POOL_ADMIN, EMERGENCY_ADMIN, RISK_ADMIN, ASSET_LISTING_ADMIN roles. Each L2 uses a distinct executor contract as ACL admin rather than the Ethereum address, but all are governance-controlled executor contracts — not standalone deployer EOAs.
Aave Risk Council at 0x8513e6F37dBc52De87b166980Fa3F50639694B60 is a verified 3/4 Gnosis Safe. PermissionedPayloadsController allows this council to register low-risk parameter payloads via a dedicated executor with limited permissions — a secondary governance lane alongside full DAO votes.
Governance Checklist
Ethereum Ownership Chain (Verified On-Chain)
| Contract | Address | Owner / Controller |
|---|---|---|
| PoolAddressesProvider | 0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e | Executor Lvl 1 (0x5300…192A) |
| ACL Admin | via getACLAdmin() | Executor Lvl 1 (0x5300…192A) |
| PayloadsController | 0xdAbad81aF85554E9ae636395611C58F7eC1aAEc5 | Executor Lvl 1 (0x5300…192A) |
| Executor Lvl 1 | 0x5300A1a15135EA4dc7aD5a167152C01EFc9b192A | PayloadsController (0xdAbad…Ec5) |
| Executor Lvl 2 | 0x17Dd33Ed0e3dD2a80E37489B8A63063161BE6957 | PayloadsController (0xdAbad…Ec5) |
| GovernanceCore | 0x9AEE0B04504CeF83A65AC3f0e838D0593BCb2BC7 | Executor Lvl 1 (0x5300…192A) |
| CrossChainController | 0xEd42a7D8559a463722Ca4beD50E0Cc05a386b0e1 | Owner: Executor Lvl 1; Guardian: GranularGuardian |
| Governance Guardian | 0xCe52ab41C40575B072A18C9700091Ccbe4A06710 | 5/9 Gnosis Safe |
| GranularGuardian | 0x4457cA11E90f416Cc1D3a8E1cA41C0cdEcC251d4 | AccessControl; admin=Executor Lvl 1 |