Aave is a decentralized non-custodial liquidity protocol where users can participate as depositors or borrowers. Depositors provide liquidity to the market to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.

Risk Rating

Assessment: 2024-2-16
Risk Assessment
Security History

Overall Score

  • Assessor
    Kop, Supergu
  • Assessment Date
Not yet undergone Underwriting review

AAVE is a prominent lending protocol with the largest Total Value Locked (TVL) in the DeFi lending category, showcasing strong technical capability and economic design. The founder and core team possess the relevant experience to drive the protocol forward. However, we have some concerns about potential risks including the governance risk stemming from a fairly high token ownership concentration, and the economic risks caused by an absence of both a fallback oracle and a price check mechanism to handle abnormal price feeds from the sole oracle.


Features state-of-the-art lending protocol collateralization mechanism design
Accepts only highly liquid assets as collateral
There is no fallback oracle, though we do understand the difficulty to find a reliable fallback oracle other than Chainlink.
No price check mechanism is present to handle abnormal price feed from oracle


AAVE's Gitbook shows comprehensive understanding of protocol risk exposure along with effective mitigation methods.
The protocol has relatively lower legal and regulatory risk compared to other protocols. Founder's legal background and knowledge is a plus.
Fairly high token holding concentration with top 100 wallets holding over 80% of total token supply. Source: Certik Skynet
AAVE suffered 1.6 million in bad debt due to a failed attack. Source: Coin Edition


Undergone multiple audits as well as formal verification by Certora. The Audit is done by top-tier firms such as OpenZeppelin & Trail of Bits.
Clear admin & access control documentation with well-designed timelock and pause control
The auto-scan results indicate insufficient Web2 security, potentially leading to Web2 vulnerabilities such as DNS hijacking.