Aave cooperates with forks following vulnerability

When Aave found a vulnerability in its code, multiple projects inherited the security flaw


Akif CUBUK/Shutterstock modified by Blockworks


DeFi lending protocol Aave is a popular candidate for “forking,” whereby developers take open-source code and launch a spinoff. 

But when its bug bounty program unearthed a potential vulnerability in Aave’s code, the exploit route wasn’t made public. 

Aave’s council of community guardians froze certain assets and markets on Aave after learning of the bug on Nov. 4. 

Over the following week, Aave DAO’s service provider bgdlabs made proposals to disable stable rate borrowing and end the minting of stable debt where borrowers would pay fixed rates in the short term that could be rebalanced later.

Aave lending markets returned to normal on Nov. 13 after the proposals were executed. But what about the forks that inherited Aave’s apparently exploitable code?

Bgdlabs wrote in a forum post that it had reached out to every Aave fork to offer advice on protection measures after the vulnerability came to light. At least three dozen projects have launched as spinoffs of Aave V2 or V3’s public code, per DeFiLlama.

“This is something that you see in computer security a lot,” said Luke Youngblood, founding contributor at the Moonwell lending protocol. “Say Apple or Google needs to tell smartphone manufacturers or other vendors in the space about a vulnerability that impacts their software or their solutions. They have to do this in a confidential way so that they don’t alert the hackers to where the hole is before it can be patched.”

The two largest Aave forks by total value locked (TVL), Spark and Radiant, both worked with Aave to double-check code for vulnerabilities, Marc Zeller, the founder of delegate platform Aave Chan Initiative, told Blockworks. 

Of the other forks, several posted on X that the platforms weren’t at risk — including Moola, which paused twice and removed its stable borrow function as Aave dealt with the vulnerability.

Bgdlabs said on Aave’s forum that it was helping Aave forks patch their code in keeping with DeFi’s communitarian ethos. 

“Even if we don’t have any responsibility to them (we are not providing services), we think the Aave community should show good values, as leaders in the space,” bgdlabs said of the forks.

Shira Brezis, co-founder of the DeFi risk and security firm Redefine, said Aave’s cooperation is par for the course in DeFi, noting that she’s in a group chat with some of her own company’s competitors. 

And perhaps the goodwill trends both ways — last week, Maker, of which Spark is a subDAO, passed a proposal to share some of Spark’s revenue with Aave. 

Aave also stands to gain from not seeing forks succumb to exploits.

“When users lose funds, it’s a bad outcome for everyone in the DeFi space. It makes people think crypto is insecure and makes them think it’s a hotbed for hackers,” Youngblood said.

In a Telegram message, bgdlabs’ co-founder Ernesto Boado said an eventual public disclosure of Aave’s code weakness “depends on different factors” and that their team “tried our best to notify forks” about the vulnerability.

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

MON - WED, MARCH 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience:  Attend expert-led panel discussions and fireside chats  Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts   Grow your network […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research



Akash is a general-purpose compute platform with GPUs, storage, LLM training or inference, and validator hosting through its two-sided marketplace.


The SEC could allow half a dozen or more such funds to launch at once, Ark Invest CEO says


2023 saw a decline in a16z crypto funding, but the behemoth VC firm teased what it’s excited for next year


“Iran Unchained” launched a new version of its grant platform to make donations to activists easier


The stablecoin marks the first time a regulated European bank has made a euro-pegged stablecoin available on a crypto exchange


Build it and they will come, perhaps, but making crypto easier to use is turning out to be just as important


Amid moves by Itau Unibanco and Nubank, the country could serve as “a proof of concept” for TradFi-crypto integrations, industry research exec says