Aave cooperates with forks following vulnerability

When Aave found a vulnerability in its code, multiple projects inherited the security flaw

article-image

Akif CUBUK/Shutterstock modified by Blockworks

share

DeFi lending protocol Aave is a popular candidate for “forking,” whereby developers take open-source code and launch a spinoff. 

But when its bug bounty program unearthed a potential vulnerability in Aave’s code, the exploit route wasn’t made public. 

Aave’s council of community guardians froze certain assets and markets on Aave after learning of the bug on Nov. 4. 

Over the following week, Aave DAO’s service provider bgdlabs made proposals to disable stable rate borrowing and end the minting of stable debt where borrowers would pay fixed rates in the short term that could be rebalanced later.

Aave lending markets returned to normal on Nov. 13 after the proposals were executed. But what about the forks that inherited Aave’s apparently exploitable code?

Bgdlabs wrote in a forum post that it had reached out to every Aave fork to offer advice on protection measures after the vulnerability came to light. At least three dozen projects have launched as spinoffs of Aave V2 or V3’s public code, per DeFiLlama.

“This is something that you see in computer security a lot,” said Luke Youngblood, founding contributor at the Moonwell lending protocol. “Say Apple or Google needs to tell smartphone manufacturers or other vendors in the space about a vulnerability that impacts their software or their solutions. They have to do this in a confidential way so that they don’t alert the hackers to where the hole is before it can be patched.”

The two largest Aave forks by total value locked (TVL), Spark and Radiant, both worked with Aave to double-check code for vulnerabilities, Marc Zeller, the founder of delegate platform Aave Chan Initiative, told Blockworks. 

Of the other forks, several posted on X that the platforms weren’t at risk — including Moola, which paused twice and removed its stable borrow function as Aave dealt with the vulnerability.

Bgdlabs said on Aave’s forum that it was helping Aave forks patch their code in keeping with DeFi’s communitarian ethos. 

“Even if we don’t have any responsibility to them (we are not providing services), we think the Aave community should show good values, as leaders in the space,” bgdlabs said of the forks.

Shira Brezis, co-founder of the DeFi risk and security firm Redefine, said Aave’s cooperation is par for the course in DeFi, noting that she’s in a group chat with some of her own company’s competitors. 

And perhaps the goodwill trends both ways — last week, Maker, of which Spark is a subDAO, passed a proposal to share some of Spark’s revenue with Aave. 

Aave also stands to gain from not seeing forks succumb to exploits.

“When users lose funds, it’s a bad outcome for everyone in the DeFi space. It makes people think crypto is insecure and makes them think it’s a hotbed for hackers,” Youngblood said.

In a Telegram message, bgdlabs’ co-founder Ernesto Boado said an eventual public disclosure of Aave’s code weakness “depends on different factors” and that their team “tried our best to notify forks” about the vulnerability.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

🚀 Build What’s Next — Permissionless IV Hackathon Join us June 22–23 in Brooklyn for the Permissionless IV Hackathon — a 36-hour sprint hosted by Cracked Labs and Blockworks where top builders turn ideas into real products. Come to launch, not just […]

recent research

Research Report Templates (10).png

Research

Kamino has evolved into a full-stack asset scaling suite with V2: unlocking new markets, improving capital efficiency, and catering to various risk profiles. We believe it is best positioned to become the credit backbone of Solana as the ecosystem matures. Simply put, KMNO remains our highest-conviction bet in the Solana ecosystem. This report lays out our thesis.

article-image

Bybit’s Byreal, Binance Alpha and Coinbase’s DEX integrations

article-image

This isn’t the worst hack to ever hit Mt. Gox, but it could be the most entertaining

article-image

Crossover’s CEO discusses institutional interest and how over-the-counter (OTC) trading has picked up in crypto

article-image

Sponsored

This collaboration signifies a major leap forward in expanding the reach and utility of Web3 gaming within the vibrant Asian market

article-image

Asymmetric information is threatening crypto the same way it once threatened equities. Disclosure might be the fix.

article-image

Rate cuts drift into Q4 limbo as markets pretend everything’s fine