Sign in

Aave

avoid.net/aave0/100·0% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
0/100
[CRITICAL]0% conf.

Summary

Aave is a decentralized, non-custodial liquidity protocol built on Ethereum and multiple other blockchains, enabling users to supply assets to earn interest or borrow against overcollateralized positions. Founded in 2017 as ETHLend by Finnish lawyer Stani Kulechov, it rebranded to Aave in 2020 and grew into the largest DeFi lending platform by total value locked, reporting over $40 billion in net deposits as of early 2025. The protocol has faced notable security incidents, a multi-year SEC investigation that closed without enforcement in December 2025, ongoing governance tensions between token holders and Aave Labs, and significant indirect exposure to a $292 million exploit in April 2026 attributed to North Korea's Lazarus Group.

Have evidence about Aave?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Background and Founding

Aave was founded by Stani Kulechov, a Finnish lawyer born in Estonia on January 13, 1991. Kulechov began building web applications in his early teens and studied law at the University of Helsinki, earning a master's degree in 2020. He created ETHLend in 2017 as one of the first decentralized finance applications on Ethereum, using a peer-to-peer lending model. In November 2017, ETHLend conducted an initial coin offering (ICO) that raised $16.2 million by selling one billion LEND tokens. In January 2020, the project was relaunched under the name Aave — Finnish for 'ghost' — with a liquidity pool model replacing the peer-to-peer approach. Aave V1 launched on Ethereum on January 8, 2020. The protocol introduced flash loans, a novel form of uncollateralized borrowing within a single transaction, in early 2020. By February 2025, Bloomberg reported Aave as the largest DeFi lending platform by deposits, and Aave V4 launched on Ethereum on March 30, 2026.

Sources

Protocol Scale and Market Position

As of May 2026, Aave holds approximately $14.8 billion in total value locked (TVL) in V3 alone, with a combined ecosystem TVL approaching $25 billion across multiple protocol versions and chains. The AAVE governance token trades at approximately $93 with a market capitalization near $1.4 billion. Aave is deployed across more than ten blockchains including Ethereum, Avalanche, Polygon, Arbitrum, Optimism, Base, and BNB Smart Chain. Aave V3, launched in March 2022, introduced efficiency mode (E-Mode), isolation mode, and cross-chain portal features. Aave V4, launched March 30, 2026, introduced a hub-and-spoke architecture replacing fragmented liquidity pools. GHO, an overcollateralized decentralized stablecoin issued by the Aave DAO, launched in July 2023 and grew to over $3.5 billion in circulation by mid-2025. DeFiLlama lists Aave as one of the top DeFi protocols globally by TVL.

Sources

SEC Investigation and Regulatory Exposure

The U.S. Securities and Exchange Commission opened an investigation into Aave approximately in 2021-2022, during a period of intensified regulatory scrutiny of DeFi protocols under then-Chair Gary Gensler. The probe examined whether the AAVE token or Aave's lending pools constituted unregistered securities under U.S. law. On December 16, 2025, the SEC closed its investigation without filing an enforcement action. Multiple outlets reported the closure as a significant result for Aave, though the SEC's closure was not characterized as an exoneration or official regulatory approval, and the agency noted that fundamental questions about the applicability of securities law to decentralized protocols remain unresolved. Broader regulatory context: SEC crypto enforcement fell approximately 60% in 2025 compared to 2024, from 33 actions to 13, coinciding with the tenure of new SEC Chair Paul Atkins and a shift toward a more collaborative regulatory posture. Despite the SEC closure, questions around decentralized governance, token classification, and value capture continue to represent latent regulatory risk for Aave and analogous protocols.

Sources

Kelp DAO / rsETH Exploit and Lazarus Group Attribution (April 2026)

On April 18, 2026, an attacker exploited Kelp DAO's cross-chain bridge infrastructure, ultimately draining approximately $292 million from the broader DeFi ecosystem. The root cause was Kelp DAO's use of a 1-of-1 DVN (Decentralized Verifier Node) configuration on a LayerZero V2 route, meaning a single compromised verifier could approve fraudulent cross-chain messages. Attackers compromised two RPC nodes and used a DDoS attack to force failover, tricking LayerZero's verifier into approving a fraudulent transaction. The attacker minted approximately 89,567 unbacked rsETH tokens and deposited them into Aave's lending markets as collateral, then borrowed roughly $190 million in ETH and related assets across Ethereum and Arbitrum. LayerZero attributed the attack with preliminary indicators pointing to North Korea's Lazarus Group, specifically the 'TraderTraitor' unit, a finding corroborated by forensics firms Chainalysis and TRM Labs. The attack caused Aave's TVL to fall by approximately $15 billion over four days and triggered $9 billion in protocol-wide withdrawal activity. Aave, SparkLend, and Fluid froze their rsETH markets to limit further bad debt accumulation. The Aave protocol ultimately faced approximately $196 million in bad debt concentrated in the rsETH–wrapped ether pair; recovery efforts were approximately 90% complete as of late April 2026. Aave was an indirect victim in this incident; the primary security failure occurred in Kelp DAO's bridge infrastructure.

Sources

North Korea Sanctions / Court Action (May 2026)

Following the April 2026 Kelp DAO exploit, Aave and protocol responders recovered approximately $71 million in ETH from the attacker's positions on Arbitrum. Law firm Gerstein Harrow LLP, representing victims of North Korean state-sponsored terrorism under the Terrorism Risk Insurance Act, obtained a restraining notice in a U.S. federal court in New York seeking to freeze and redirect the recovered funds to satisfy decades-old default judgments against North Korea. On May 5, 2026, Aave LLC filed a motion in federal court to lift the restraining notice, arguing that the frozen assets belong to Aave protocol users — not to North Korea — and that keeping them frozen risks 'irreparable harm' to the platform and broader DeFi ecosystem. The firm Gerstein Harrow contended that assets derived from a Lazarus Group hack constitute North Korean state property subject to attachment. The legal dispute raises novel questions about whether DeFi protocols have standing to challenge seizure orders when their own terms of service disclaim control over user assets, and whether crypto recovered from state-sponsored hackers can be redirected to satisfy unrelated civil judgments. As of early May 2026, the litigation was ongoing.

Sources

Historical Security Incidents and Smart Contract Risks

November 2023 Vulnerability: On November 4, 2023, Aave received a report through its bug bounty program describing a high-severity vulnerability affecting Aave V2, which was subsequently escalated to critical severity. The vulnerability affected Aave V2 Ethereum markets and certain assets on V3 markets across Polygon, Arbitrum, Optimism, and Avalanche. Aave paused relevant markets as a precautionary measure and reopened V2 markets on November 13, 2023 after remediation. A periphery contract (the ParaSwapRepayAdapter) was separately exploited for approximately $56,000; this contract is not part of the core Aave protocol and no core user funds were reported at risk. The attacker exploited an arbitrary call/logic error in the adapter contract. CRV Bad Debt Incident (November 2022): Trader Avraham Eisenberg — who had earlier drained Mango Markets — accumulated a 92 million CRV short position on Aave over several days, collateralized with approximately 57 million USDC. A community-coordinated short squeeze forced a 40%+ CRV price increase, liquidating Eisenberg's position at a $10 million loss to him, but leaving Aave with approximately $1.6 million in bad debt in CRV. In January 2023, Aave purchased 2.7 million CRV tokens to offset the residual bad debt. Flash Loan Ecosystem Risks: While Aave's flash loans have not been used to exploit Aave's own core protocol, the mechanism has been used in attacks on third-party DeFi protocols, including the Beanstalk Farms exploit in April 2022 ($182 million) and the Euler Finance exploit in March 2023 ($197 million), both of which involved flash loans sourced partly from Aave. Aave was not directly harmed in either incident. V3 Liquidation Risk: A Bank of Canada staff paper found that while Aave V3 avoided unrecovered bad debt from January 2023 to May 2025 through rapid automated liquidations, this design transferred significant risk to borrowers, with liquidation-related borrower losses ranging from 10% to 30% in some cases during sharp market drawdowns.

Sources

Governance Disputes: Aave Labs vs. DAO Token Holders

From late 2025 into early 2026, Aave experienced significant governance tension between Aave Labs — the centralized development entity helmed by Stani Kulechov — and AAVE token holders acting through the DAO. Swap Fee Redirection: Onchain analysis revealed that swap-related fees previously routed to the DAO treasury were redirected to wallets controlled by Aave Labs, with delegate estimates placing the impact at approximately $200,000 per week or over $10 million per year. Brand Asset Ownership Proposal: A governance proposal requested that Aave Labs transfer brand assets — including naming rights, social media accounts, and the aave.com domain — to the DAO. Aave Labs submitted the proposal for a vote without first consulting the proposal's originator, and the vote was held over the Christmas holiday period when many token holders were inactive. The proposal was rejected, with 55.29% voting against and 41.21% abstaining. Founder Token Purchase: Reports emerged that Kulechov purchased approximately $10 million in AAVE tokens ahead of the governance vote, leading community members to raise concerns about structural weaknesses in token-weighted governance where large holders can materially influence outcomes. 'Aave Will Win' Resolution: In April 2026, the DAO approved the 'Aave Will Win' (AWW) framework, which mandates that 100% of revenue from all Aave-branded products flow to the DAO treasury, resolving the immediate revenue redirection dispute. The AWW framework also established a $25 million grant to Aave Labs to execute its multi-year development strategy. The underlying tension between decentralized governance and a centralized development team with significant operational influence over the protocol has not been fully resolved.

Sources

GHO Stablecoin: Depeg and Stability Concerns

GHO is an overcollateralized, multi-collateral, decentralized stablecoin launched by the Aave DAO in July 2023. Following launch, GHO traded persistently below its intended $1.00 peg, ranging between approximately $0.97 and $0.99. Experts attributed the depeg to the absence of a formal arbitrage redemption mechanism at launch and weak initial demand. Aave founder Stani Kulechov publicly acknowledged the depeg was expected in early stages, stating 'the focus on peg should come later.' By 2025, GHO's circulation had grown to over $3.5 billion, and peg stability improved, though the stablecoin continued to experience periodic deviations. Sources indicate approximately nine depeg events exceeding 1% occurred in 2025, most of which resolved within hours. The sGHO (savings GHO) and anti-GHO mechanisms introduced in 2025 were designed to further support peg stability and incentivize holding. GHO's design as a DAO-issued stablecoin means its supply and parameters are subject to governance votes, introducing an additional layer of protocol dependency compared to algorithmic or custodial stablecoins.

Sources

Security Posture and Audits

Aave employs multiple layers of security review. Each major protocol version has undergone audits by independent firms including OpenZeppelin, Trail of Bits, Sigma Prime, ABDK, SigmaPrime, and others. Aave V3.3.0 was audited by Oxor in January 2025. The V3.6.0 codebase was reviewed by Pashov Audit Group in November 2025, with one issue reported, none classified as critical. The V3 Risk-Steward contracts underwent formal verification by Certora in June 2024. Aave maintains an ongoing bug bounty program through Immunefi, which was the channel through which the critical November 2023 vulnerability was disclosed. The Aave protocol's source code is publicly available on GitHub. The protocol's risk framework includes on-chain governance, timelocked upgrades, and asset-level risk parameters managed by elected risk stewards. The Bank of Canada study covering 2023-2025 found that Aave V3 on Ethereum avoided unrecovered bad debt during that period, though at the cost of transferring liquidation risk to borrowers. The April 2026 Kelp DAO incident exposed a vulnerability in Aave's collateral acceptance process for cross-chain liquid staking tokens, prompting a freeze of rsETH markets and a post-incident governance proposal to tighten oracle and collateral standards for such assets.

Sources

Flash Loan Systemic Risk

Aave pioneered the flash loan — a mechanism for uncollateralized borrowing and repayment within a single Ethereum transaction. While flash loans have broad legitimate uses in arbitrage, liquidation, and collateral swaps, they have also been used as a funding mechanism in attacks on third-party DeFi protocols. Notable incidents using Aave-sourced flash loans include: the Beanstalk Farms governance exploit in April 2022 ($182 million drained, attacker borrowed over $1 billion from Aave and other protocols to gain temporary voting power); and the Euler Finance exploit in March 2023 ($197 million), in which the attacker used a $30 million flash loan from Aave as part of the attack vector. Aave itself was not directly harmed in either incident. Subsequent improvements in on-chain oracle design (Chainlink TWAP, Uniswap V3 TWAP) and protocol-level safeguards have reduced, though not eliminated, the risk of flash loan-enabled oracle manipulation attacks on DeFi systems broadly.

Sources

Timeline

2017-11-25

ETHLend conducts ICO, raising $16.2 million by selling one billion LEND tokens at $0.0162 each.

Wikipedia / CoinMarketCap

2020-01-08

Aave V1 launches on Ethereum, rebranding from ETHLend. Flash loans introduced as a novel DeFi primitive.

Aave Wikipedia / Messari

2022-04

Beanstalk Farms exploited for $182 million using a flash loan sourced partly from Aave; Aave itself not directly harmed.

Koinly / Bank Underground

2022-03-16

Aave V3 launches on Polygon, Avalanche, Fantom, Arbitrum, Optimism, and Harmony.

Aave Wikipedia

2022-11

Avraham Eisenberg accumulates 92 million CRV short position on Aave; community short squeeze liquidates him, leaving Aave with approximately $1.6 million in CRV bad debt.

CoinDesk / Blockworks

2023-01-26

Aave purchases 2.7 million CRV tokens to offset residual bad debt from the Eisenberg incident.

CoinDesk

2023-03

Euler Finance exploited for $197 million using a flash loan partially sourced from Aave; Aave itself not directly harmed.

Chainalysis

2023-07-14

Aave DAO passes AIP-268 to launch GHO stablecoin. GHO begins trading below its $1.00 peg.

DL News / Aave Wikipedia

2023-11-04

Critical vulnerability reported via Aave bug bounty affecting V2 Ethereum and V3 on Polygon, Arbitrum, Optimism, Avalanche. Markets paused as precaution.

Aave Governance / CryptoSlate

2023-11-13

Aave V2 markets reopen after critical vulnerability remediated.

CryptoSlate

2025-12-16

SEC closes its approximately four-year investigation into Aave with no enforcement action.

Unchained / BeInCrypto / Yahoo Finance

2025-12-23

Aave Labs submits brand asset transfer proposal to DAO vote during Christmas holiday period without consulting original proposer; 55.29% of token holders vote against.

CoinDesk / CoinTelegraph

2026-03-30

Aave V4 launches on Ethereum with hub-and-spoke architecture after audits found zero critical vulnerabilities.

Aave Governance / Blockworks

2026-04-13

DAO approves 'Aave Will Win' framework: 100% of revenue from Aave-branded products directed to DAO treasury; $25 million grant approved for Aave Labs.

CoinDesk

2026-04-18

Kelp DAO rsETH exploit occurs; attacker attributed to North Korea's Lazarus Group mints unbacked rsETH and borrows approximately $190 million from Aave, causing approximately $196 million in Aave bad debt and $15 billion TVL decline.

CoinDesk / Halborn / Aave Governance

2026-05-05

Aave LLC files motion in New York federal court to lift restraining notice blocking access to approximately $71 million in recovered ETH frozen by Gerstein Harrow LLP on behalf of North Korea terror victims.

CoinDesk

model: claude-code-investigator

generated: 5/7/2026, 5:10:48 PM

last updated: 5/8/2026, 2:42:01 AM

avoid.net — verified advice for a post-truth world