Bug22880×1542 218 KB

Summary

Aave Labs proposes launching a dedicated Aave V4 bug bounty program on the Sherlock platform. The objective is to add an always-on security reporting channel for Aave V4, with a triage setup designed to reduce spam and route high-severity reports with high urgency.

Motivation

Aave V4 introduces new architecture and new surfaces. In addition to audits, formal verification, and other security review tracks, an ongoing bug bounty provides a complementary path for independent researchers to report issues during late-stage testing, launch, and post-launch.

Why Sherlock

Sherlock positions its bug bounty platform around three operational goals: (i) strong visibility to experienced researchers, (ii) low spam volumes, and (iii) actionable triage with clear routing.

Sherlock has previously supported security work with Aave contributors across Aave V3 and in early Aave V4 efforts, which builds shared context on reporting standards, triage expectations, and escalation paths. Sherlock notes that its broader platform combines audit competitions with a bug bounty program, and that the bounty platform is designed to keep response workflows lightweight for core contributors while still surfacing high-severity reports quickly.

Spam resistance and operational focus

A practical challenge for prominent programs is high volumes of low-quality submissions (including AI-generated reports), which can consume significant contributor time and degrade signal-to-noise. Sherlock’s model uses stake-gated submission rules for High/Critical reports while keeping Medium/Low submissions open to everyone, paired with a defined triage workflow and periodic summaries.

Specification

This ARFC proposes launching a dedicated Aave V4 bug bounty program on Sherlock as an always-on reporting channel for Aave V4. The program is scoped specifically to Aave V4 and covers the final list of in-scope repositories, contracts, and environments included in the launch configuration.

Sherlock would provide self-service program configuration across scope, severity criteria, payout amounts, and notification routing, with support for standard and custom integrations across Aave’s preferred operating channels.

Triage and Routing

The program would operate under the following submission and triage structure:

High and Critical submissions:

• Require a 250 USDC stake at submission

• Return the stake for valid reports alongside any bounty payout

• Forfeit the stake for invalid reports to offset triage costs

Medium and Low submissions:

• Remain open without a stake requirement

• Cannot later be upgraded into High or Critical payout tiers

Report handling:

• High and Critical reports follow an expedited routing path

• Sherlock notifies Aave’s designated responders through agreed communication channels

• Medium and Low reports move through Sherlock’s standard review flow

• Aave keeps visibility into submissions and outcomes through the Sherlock dashboard

Pricing and Payout

Sherlock would provide hosting, triage, and program administration without a fixed annual platform fee, and instead receive a 5% fee on bounty payouts.

Scope and Severity Criteria

These amounts can be increased as the protocol is hardened and more TVL is increased.

Scope

Hub

	- src/hub/Hub.sol

	- src/hub/HubConfigurator.sol

	- src/hub/AssetInterestRateStrategy.sol

	- (all base contracts they inherit from and libraries used)

Spoke

	- src/spoke/AaveOracle.sol

	- src/spoke/instances/SpokeInstance.sol

	- src/spoke/instances/TokenizationSpokeInstance.sol

	- src/spoke/instances/TreasurySpokeInstance.sol

	- src/spoke/SpokeConfigurator.sol

	- (all base contracts they inherit from and libraries used)

Periphery

	- src/position-manager/NativeTokenGateway.sol

	- src/position-manager/SignatureGateway.sol

	- src/position-manager/ConfigPositionManager.sol

	- src/position-manager/GiverPositionManager.sol

	- src/position-manager/TakerPositionManager.sol

	- (all base contracts they inherit from and libraries used)

	- src/access/AccessManagerEnumerable.sol

Use/integration of external dependencies (excluding their internal code)

Next Steps

1. If consensus is reached on this ARFC, the proposal can proceed to Snapshot with the finalized commercial structure, scope, and payout framework.

2. If Snapshot passes, an AIP can then be submitted to approve the Sherlock engagement and authorize implementation of the Aave V4 bug bounty program.

Disclaimer

This ARFC is posted by Aave Labs in its capacity as a contributor proposing an approach for Aave V4 security operations. Decisions and approvals belong to the DAO via the standard governance process.

Sherlock is a third-party service provider. Final commercial terms and execution details would be presented in an ARFC and, if progressed, implemented via an AIP.

Copyright

Copyright and related rights waived via CC0.

Summary

LlamaRisk supports the launch of a dedicated Aave V4 bug bounty on Sherlock. This dedicated program would support ongoing external risk management for the Aave upgrade, consistent with our previous analysis of bug bounties. We believe this program provides a strong basis for initial V4 coverage, and we are encouraged by the intended progressive approach, with incentives increasing as the protocol matures and TVL grows.

Program Analysis

The proposed bounty’s exclusive focus on V4 highlights the need to continuously monitor its architectural security, given its novelty and departure from prior versions. This program distinguishes itself from Aave’s existing Immunefi bug bounty, which primarily covers V2 and V3 smart contracts.

In our Bug Bounty Landscape analysis, we identified two key criteria for an effective bug bounty program that protocols should implement to secure and incentivize active risk management. These criteria include:

1. Comprehensive Scope of Coverage
2. Adequacy of Financial Incentives

The comprehensiveness of a bug bounty program reflects the extent to which it covers all vectors that could expose the protocol to risk. This proposed bounty sufficiently covers the key areas related to V4 and all base contracts and inheritances. The maximum bounty as specified in the ARFC is currently set to $500K for critical severity issues. To assess the adequacy of this financial incentive, we compare the maximum bounty payout to the value it secures. Given that TVL is yet to be determined, the $500K maximum bounty exceeds the minimum $50K threshold we recommended in our bug bounty article. Payouts will increase progressively as TVL grows, in line with best practices we believe all programs should follow.

The 250 USDC stake requirement for High and Critical submissions is a practical mechanism to filter low-quality reports and preserve triage bandwidth for actionable findings. Combined with the 5% fee on payouts and the absence of a fixed annual platform fee, the program’s cost structure aligns Sherlock’s incentives with actual program activity, making it cost-efficient for the Protocol.

Recommendations

While the program covers the core areas of V4, in relation to Aave overall, neither the immunefi program nor the proposed Sherlock program provides coverage for non-smart contract points of risk, i.e., the explicit inclusion of other critical areas such as web applications, domains, and APIs. To strengthen the overall security posture, we would recommend including coverage for such assets that interface with V4.

The initial coverage and severity scales provide an adequate starting point for the program. As V4 matures, the financial incentives offered should remain commensurate with the TVL secured and Aave’s standing as a leading DeFi protocol.

Disclaimer

This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.