LlamaRisk submits this memorandum in fulfillment of its engagement as a Risk Service Provider to Aave DAO, under a mandate that includes independent legal risk analysis and assessment of legal-related matters. The objective is to enhance the DAO’s understanding of the factual record underlying asserted claims of “effectuated protocol ownership,” including how these claims intersect with intellectual property title, licensing, and control.
This analysis is limited to the funding of specific workstreams approved by Aave’s governance (DAO) and evidenced in the cited governance materials, the referenced GitHub repositories and commits, the Terms of Service published for aave.com, and the available AAVE trademark evidence. In the absence of signed terms between Aave DAO and Aave Labs (or related entities), the DAO’s practical position appears to rest on a composite of governance mandates, implied permissions arising from the publication of deliverables in DAO-hosted repositories, and de facto control over certain distribution channels, rather than on a complete, contractually documented chain of title.
Key Findings from Governance & Technical Records
Based on a review of public governance proposals, technical repositories, and available legal documentation, the following facts regarding the relationship between the DAO and Aave Labs are established:
- Proprietary Control of the Interface Codebase: The licensing status of the Aave Interface repository has shifted from open-source to proprietary. Specifically, commit
47430b8modified the repository to replace the previous BSD-3-Clause license text with a one-line notice stating “All Rights Reserved © Aave Labs”, and updated the README to mirror this restriction. Nonetheless, the Aave App Terms of Service explicitly state that the “Services” and content remain the “exclusive property of the Company” (Aave Interfaces Ltd), granting users only a “limited, non-exclusive, non-transferable, revocable” license. - Development & Deployment Authority: Aave Labs retains primary control over the development and deployment of the user-facing applications.
- In the Aave Labs Development Update for August 2024, Aave Labs confirmed it “rebuilt the aave.com website from the ground up” and “initiated the development of a comprehensive rebuild of the app at app.aave.com.”
- Earlier records, such as the Aave Companies: Aave Development Update (March 2023), note that development work included “front-end development and UI improvements.”
- Specific feature implementations, such as those detailed in the [ARFC] Launch GHO on Avalanche, are dependent on Aave Labs “updating the Aave Interface to facilitate GHO bridging … and manage GHO interactions.”
- Ambiguity in Brand Asset Licensing: While the ARFC for the one-year Aave Labs service provider proposal mandated that visual identity assets be “delivered and packaged in a GitHub repository accessible to everyone and hosted within the Aave DAO Origin organization,” the resulting licensing status is unclear.
- Aave Labs confirmed the delivery of these assets into the Aave Brand Kit repository, which is hosted under the
aave-daoGitHub organization. - However, an inspection of the repository file tree reveals that no explicit LICENSE file is present.
- The ARFC text itself noted that the visuals would be “subject to and governed by the license specified in the approved governance proposal… (to be included… at a later date),” thereby leaving the actual usage rights of the DAO undefined within the repository itself.
- Aave Labs confirmed the delivery of these assets into the Aave Brand Kit repository, which is hosted under the
- Trademark Ownership: Public trademark evidence indicates that the “AAVE” wordmark is not held by the DAO, but is associated with Quantum Swan OÜ (an Estonian legal entity) as the recorded holder.
Analysis by Workstream
1. Frontend & Interface Development
Current Status: Proprietary Licensing & Permission Dependency
- Shift to Proprietary Licensing: On November 13th, 2023, the Aave Interface repository transitioned from a permissive BSD-3-Clause license to an “All Rights Reserved © Aave Labs” notice, indicating a shift to proprietary licensing. This change removes the standard open-source grants that previously permitted copying, modification, and redistribution of the software. Consequently, third parties who fork or redeploy the interface now face materially higher infringement risks, and ecosystem participants must treat the codebase as proprietary unless a new, clearly articulated license grant is provided.
- Operational & Permission Dependency: Governance materials identify interface updates as a requirement for executing DAO initiatives. However, because the codebase is now proprietary in nature, this creates a “continuing permission dependency” rather than a purely technical one. Without signed terms or a clear license, the DAO cannot confidently demonstrate its right to operate, modify, or designate alternative maintainers for the interface, relying instead on Aave Labs’ ongoing consent.
- Ambiguity of Deliverables: While development updates confirm that the
aave.com, and app rebuilds occurred, the available sources do not confirm that this work product was delivered into DAO-controlled repositories with licensing that permits broad reuse. There is currently no evidence in the record regarding the legal mechanics—such as ownership allocations or chain of title—that would allow the DAO to sublicense or enforce rights over the rebuilt code.
2. Brand Identity & Design Assets
Current Status: Operational Availability vs. Licensing Gaps
- Delivery Mechanism: The ARFC confirms that visual identity assets are delivered through a DAO-hosted GitHub repository. This delivery channel serves as a strong operational signal that the assets are intended to be accessible and usable within the Aave ecosystem.
- Lack of Explicit License: Repository placement alone does not constitute a complete legal license grant. The repository view available in the sources does not clearly expose a standalone LICENSE file.
- Usage Limitations: Consequently, the safer, conservative approach is for community users to treat the brand kit as usable only to the extent permitted by any embedded usage guidelines. If those guidelines are silent on scope, usage should be treated as limited to bona fide Aave-related purposes until an explicit license instrument is published.
3. Intellectual Property & Trademarks
Current Status: Third-Party Ownership & Authorization Dependencies
- Trademark Ownership: The evidence indicates that the AAVE trademark is held by Quantum Swan OÜ, not the DAO.
- Dependency on External Frameworks: Since the DAO is not the owner, its ability to authorize third-party usage depends materially on a documented trademark license and quality control framework provided by the trademark holder. Without such a framework, permissions and standards cannot be cleanly administered through DAO governance alone, rendering community usage legally fragile and enforcement inconsistent.
- Unconfirmed Rights: We have not been able to confirm on the provided sources whether a trademark license exists, the breadth of rights granted, whether sublicensing is permitted, or which actor is authorized to enforce brand standards on behalf of the mark owner.
Potential Issues
The central failure mode in this fact pattern is the misalignment between those who fund and mandate work, those who control publication and distribution, and those who hold enforceable intellectual property rights. Regarding the sources, Aave Labs describes substantial front-end build and rebuild work across aave.com and app.aave.com, while also outlining a DAO-facing delivery mechanism for visual identity assets into a DAO-hosted repository. In parallel, the Aave Interface codebase now presents as explicitly closed-source by virtue of the amended “All Rights Reserved” notice, and the production app experience is governed by the Terms of Service of Aave Interfaces Ltd.
Practically, in the absence of assignment language, copyright in software code generally remains with the authors—here, Aave Labs and/or the individual contributors acting through Aave Labs’ employment and contractor relationships—and the DAO’s usable rights are driven primarily by the license grants and restrictions actually applied to the relevant repositories and deliverables. The community may treat licensing as a governance-controlled perimeter, and licensing is indeed a powerful lever. However, licensing is not proof of ownership unless the licensor is the rights holder or has itself received sufficient rights to grant, relicense, and enforce those permissions against third parties.
With respect to the visual identity, there is language in the Aave 2030 temp check stating that the proposed new Aave Visual Identity will be “irrevocably licensed to the Aave DAO,” with broad rights to reproduce, distribute, and display for Aave-related purposes, alongside restrictions directed at malicious use cases such as phishing or impersonation. At the same time, the service provider (SP) ARFC states that the visuals and new visual identity are “subject to and governed by the license specified in the approved governance proposal … to be included … at a later date,” meaning the precise license text is not embedded in the SP proposal itself. On the public record, it is therefore reasonable to infer that the DAO was intended to receive, at a minimum, an irrevocable license grant to use the brand kit and related identity assets. Nonetheless, the exact legal mechanics—namely, the identity of the licensor, the operative license instrument, scope limitations, sublicensing permissions, and enforcement rights—should be treated as incomplete unless and until they are crystallized in a separate executed license or assignment, or in an authoritative governance publication that reproduces the final license terms in full.
This combination produces considerable operational and legal risk. Contributors may assume they can reuse “official” UI code and brand assets because they are publicly available in repositories. At the same time, the underlying permission set may be narrower, inconsistent across surfaces, or subject to unilateral change. Third parties may fork or deploy interface code based on historic expectations, without appreciating that the repository’s current license statements and permissioning terms have materially changed. The DAO may lack standing and a coherent authority chain to enforce brand standards or pursue takedowns. Finally, if a key mark is held by a third party such as Quantum Swan OÜ, the DAO may not be in a position to grant reliable trademark permissions to ecosystem participants without a documented trademark license that includes the quality control features necessary for sustainable brand governance.
Disclaimer
This review was independently prepared by LlamaRisk, a DeFi risk service provider. LlamaRisk receives funding from the Aave DAO and is also compensated by Aave Labs Ltd. for the risk services it delivers to Aave Horizon.
The information provided should not be construed as legal, financial, tax, or professional advice.