Rekt News — Aave Ecosystem Security Coverage

Brief Description

Independent investigative editorial coverage of Aave and the broader lending protocol category for 12 months. Output: 6 long-form investigations, 1 video documentary, 1 podcast panel, an annual State of Lending Protocols report, 8 distribution features across newsletter (~30K subscribers) and X (~280K followers @RektHQ) and a dedicated lending sector security tag on hub.rekt.news. Topic selection collaborative with Aave; framing, conclusions and incident coverage stay editorially independent. Ask: 75,000 USDC, 4 quarterly tranches against shipped deliverables.

Project Category

Security / Public Goods / Ecosystem Education

Requested Amount

75,000 USDC

Team / About Us

Rekt News (rekt.news) was founded by Julien Bouteloup and has operated since 2020 as an independent investigative publication covering DeFi security. No paywall, no token, no VC funding. Approximately 280K X followers (@RektHQ), 30K+ newsletter subscribers, 42K monthly readers. Routinely cited by audit firms, governance forums and security researchers.

We hosted the inaugural Rekt Security Summit in Cannes, March 2026 (https://summit.rekt.news). 40+ speakers including Ethereum Foundation, Certora, Nethermind, Trail of Bits, Immunefi, Cyfrin, Hypernative, Aragon, Curve and Gnosis VC. Full session recordings: https://www.youtube.com/playlist?list=PL8GXJfkZ1Eyhnmg46D7HeblLlHzBiZTMs

Operating entity located in Switzerland.

Project Description

The Aave ecosystem includes Aave v3, GHO and a growing constellation of Aave-derived protocols (Spark, Radiant, Yldr, ZeroLend and others). The lending category is architecturally rich (oracle adapters, e-mode parameter interactions, liquidation cascade dynamics, isolation mode edge cases, GHO peg mechanics, cross-protocol composability) and security incidents across the sector are frequent and consequential.

Rekt has covered both layers. Our March 2026 piece “Price Impact Kills” analysed the $27.78M wstETH liquidations stemming from the CAPO oracle incident alongside the parallel CoWSwap solver incident that routed $50M into a $73K pool for 327 AAVE out ( Rekt - <!-- -->Price Impact Kills ). Our April 2026 piece “KelpDAO - Rekt” covered the $290M LayerZero bridge compromise and how the contagion propagated across lending markets, including Aave’s exposure ( Rekt - <!-- -->KelpDao - Rekt ).

There is no consistent, independent, well-distributed editorial record of these incidents and their architectural lessons. Real-time risk dashboards and post-incident investigative editorial are different formats serving different audiences. Rekt fills the editorial gap with depth and reach that the dashboard format does not.

This grant funds Rekt to dedicate a meaningful portion of editorial bandwidth to the Aave stack for 12 months, producing structured outputs that delegators, contributors and the broader DeFi audience can use. The work fits AGD’s stated mandate of “empowering the community with accessible and novel insights.”

Goals

  1. Produce the definitive independent editorial record of Aave-ecosystem security incidents over a 12-month window.

  2. Document security incidents across Aave-derived lending protocols systematically (often coverage that no other outlet provides with technical depth) so the lessons feed back into Aave governance.

  3. Produce an annual State of Lending Protocols report synthesising the year’s work as a reference for the whole sector.

  4. Establish a discoverable archive of lending-sector security coverage on hub.rekt.news that delegators, builders and auditors can reference.

Editorial scope and independence

This grant funds Rekt News to produce educational content covering Aave-ecosystem security. Topic selection and editorial planning for the deliverables happen in collaboration with the Aave Grants DAO and Aave contributors. Aave may suggest topics, propose angles and review draft content for factual accuracy and clarity. Rekt retains final editorial decision on framing, conclusions and headlines.

Coverage of security incidents is treated separately. If Aave or any lending protocol in the category experiences a security incident during this partnership, that coverage is not part of the educational scope above and is not subject to collaborative input. Incidents are covered with the same depth applied to “Price Impact Kills” and “KelpDAO - Rekt.”

Disbursement is contingent on the listed deliverables being publicly published. It is not contingent on coverage tone or the specific framing of any individual piece. An Aave Grants DAO multisig signer verifies that each deliverable exists at each tranche.

This commitment is documented in this application so it is enforceable as a community expectation, not just a promise.

Why this benefits Aave

Aave V4 is in active development and the protocol is transitioning between major architectural generations. During such transitions, independent editorial coverage of security incidents (within the Aave stack and across the broader lending sector) has unusual value as a public reference for what worked, what didn’t and why. Reference material that captures architectural decisions and incident lessons matters more, not less, during change.

Aave delegators read governance proposals. Independent editorial coverage of lending-sector incidents gives them researched context they can pull from when evaluating risk parameters, new asset listings or oracle changes. The output is reference material that lives alongside (not in place of) the real-time risk work the DAO already commissions.

There is also a fork-coverage byproduct. When other lending protocols (Aave-derived or otherwise) experience security incidents, that coverage creates natural contextual comparison that positions Aave as the architectural reference, without the proposal needing to say so explicitly. Independent voices doing this in editorial output is materially more credible than Aave saying it about itself.

Defensive narrative for sector incidents matters too. In the event of any future incident affecting Aave or a major fork, having a publication that already understands the architecture writing the post-mortem is materially better for the lending sector than the alternative. We commit to covering Aave-stack incidents with the same depth regardless of partnership status, as our existing coverage of the March 2026 oracle and CoWSwap incidents demonstrates.

Deliverables (12 months)

All deliverables published openly on rekt.news under standard editorial terms. Public URLs reported at each tranche review.

  1. 6 long-form investigations on lending protocol security. Topics determined collaboratively at scope-planning sessions with Aave Grants DAO. At least 1 will cover Aave-fork incidents (Spark, Radiant, Yldr, ZeroLend or others as they occur). At least 1 will cover Aave architecture deep-dives (oracle adapters, liquidation cascade dynamics, isolation mode edge cases, composability, GHO peg mechanics, e-mode interactions).

  2. 1 video documentary covering lending protocol security. Published on YouTube and embedded on rekt.news.

  3. 1 podcast panel on a lending protocol security topic, with relevant security researchers, auditors and contributors as guests. Distributed via Spotify and YouTube. Recording archived on rekt.news.

  4. 8 distribution features across Rekt’s owned channels (newsletter ~30K subscribers + @RektHQ on X ~280K followers). Format at editorial discretion (newsletter feature, X thread or X mention with substantive context).

  5. Annual “State of Lending Protocols” report published on month 12. Synthesises the year’s work into a reference document covering incident patterns, architectural lessons and sector-wide implications. CC-licensed on rekt.news.

  6. Dedicated lending sector security tag on hub.rekt.news with all relevant coverage organised and discoverable. Maintained through the 12 months.

Strategic partnership with TheDefiant (optional extension)

Rekt holds a strategic content partnership with TheDefiant (~327K followers on X, ~130K subscribers on YouTube), under which co-productions are distributed across both communities. Example output, originally tied to a Stellar engagement and shared across three communities (Stellar, TheDefiant, Rekt): https://x.com/RektHQ/status/2047368048806408409

If Aave Grants DAO and the Aave community see value, we are open to reframing this proposal to include joint content production and cross-community distribution with TheDefiant. Concrete options include co-production of the video documentary, co-production of the podcast panel or additional joint formats. Cross-community reach would extend materially beyond Rekt’s owned channels. Specifics would be negotiated during the application review or in a follow-up revision based on Aave appetite.

Past work / Track record

Selected Rekt coverage of Aave and the lending category, grouped by relevance.

Direct Aave coverage:

  • “Price Impact Kills” (March 2026): https://rekt.news/price-impact-kills — CAPO oracle incident ($27.78M wstETH liquidations) + CoWSwap solver routing $50M into a $73K pool (327 AAVE out). Combined analysis of two incidents in one week.

  • “KelpDao - Rekt” (April 2026): https://rekt.news/kelpdao-rekt — $290M DPRK / LayerZero bridge compromise; analysis of how the contagion propagated across lending markets, including Aave’s exposure.

Sector flagship — pre-mortem and post-mortem on the Stream Finance / xUSD collapse:

  • “House of Cards” (October 2025): https://rekt.news/house-of-cards — pre-mortem on Stream Finance / Elixir recursive minting, published weeks before the $93M xUSD collapse and the resulting $285M contagion across lending markets (positions held by TelosC, Elixir, MEV Capital, Re7 Labs, Varlamore).

  • “The Loop Contagion” (November 2025): https://rekt.news/loop-contagion — forensic follow-up after the collapse; cross-protocol contagion mapping across Morpho, Euler, Compound, Lista DAO and adjacent lending markets.

Architectural pattern coverage in the lending category:

  • “Euler - Rekt” (March 2023): https://rekt.news/euler-rekt — investigation of the $197M Euler Finance flash loan attack via donateToReserves exploit. The attack sourced its flash loan from Aave V2, illustrating how Aave-stack infrastructure plays a role even in incidents at adjacent lending protocols.

  • “Makina - Rekt” (January 2026): https://rekt.news/makina-rekt — $4.13M oracle manipulation drain; flash loans sourced from both Aave V2 and Morpho. Documents the “out-of-scope in audit” pattern where known attack vectors are deliberately excluded from audit coverage.

  • “Moonwell - Rekt”: https://rekt.news/moonwell-rekt — oracle misconfiguration on a Compound v2 fork on Base; the cbETH/ETH ratio (1.12) was treated as a USD price by liquidation bots, stripping $1.78M from borrowers in one block. Architectural lesson for any lending market using rate-derived oracles.

  • “Sturdy Finance - Rekt” (June 2023): https://rekt.news/sturdy-rekt — read-only reentrancy oracle manipulation in lending, $800K loss. Same attack vector that hit Midas Capital and dForce Network. Vulnerable contract was outside the audit scope.

Broader track record: 280K X followers, 30K+ newsletter, 42K monthly readers. Routinely cited by audit firms, governance forums and security researchers. Over 100 long-form post-mortems published in the last 12 months covering incidents totalling billions in user losses.

Rekt Security Summit Cannes 2026: https://summit.rekt.news/

**

Budget breakdown**

75,000 USDC total, disbursed in four equal quarterly tranches of 18,750 USDC against verified delivery of milestones.

  • T0 (signing) — 18,750 USDC. Triggered by application approval and signed agreement.

  • T1 (month 3) — 18,750 USDC. Triggered by: lending sector security tag live on hub.rekt.news with at least 4 indexed pieces; first long-form published; 2 distribution features published.

  • T2 (month 6) — 18,750 USDC. Triggered by: 3 long-forms total published; podcast panel published; 5 distribution features total.

  • T3 (month 12) — 18,750 USDC. Triggered by: 6 long-forms total complete; video documentary published; State of Lending Protocols report published; 8 distribution features total.

Disbursement contingent on deliverables being publicly published. An Aave Grants DAO multisig signer verifies existence at each tranche. No editorial review.

Funds transferred to a wallet controlled by Stake Capital Group, Switzerland.

Why USDC

USDC keeps the funding politically neutral. No implicit ties to AAVE token price during the work period, no perceived conflict in coverage of AAVE-token-related events.

Reporting and accountability

  • Quarterly public reports on rekt.news listing all deliverables shipped against the milestones, with public URLs.

  • On-chain transparency: every tranche reported with receiving address and tx id.

  • Community accountability: if a substantive objection to a tranche is raised in Aave governance channels or directly to the Aave Grants DAO multisig signers, release is paused pending review by the multisig.

  • End-of-partnership retrospective at month 12: public write-up of what worked, what didn’t and what we recommend Aave (and other DAOs) do differently in similar future partnerships.

What this is not

This proposal funds educational content, not promotion. This is not paid for favorable coverage. This is not a content partnership where Aave has approval rights over framing, conclusions or coverage of security incidents. This is not a retainer for media access.

Additional info

We are open to scope adjustment if Aave Grants DAO reviewers want different emphasis. Scope can be reduced to $20K under the Rapid track if reviewers prefer to start smaller (would scope down to 3 long-forms + 4 distribution features + tag + no State of Lending report, no video, no podcast).


Submitted by: Stake Capital Group. Julien Bouteloup, Founder of Rekt News and CEO of Stake Capital Group. Working contact for clarifications: Diogo Patão, Operations, diogo@rekt.news. Institutional contact: governance@stake.capital.


1 Like

Thanks for putting this together I agree that more rigorous coverage of lending-related incidents is valuable for Aave.

Before this moves towards Snapshot, I have a few questions that feel important from a capital‑efficiency and governance‑impact perspective:

Cost breakdown:
Can you provide a transparent per‑deliverable cost breakdown (per long‑form investigation, per video, per podcast episode, per distribution feature, and for the annual report)? Right now we only see the 75k total and tranche structure, which makes it hard to assess whether this is capital‑efficient versus funding more protocol‑native risk research.

Governance impact, not just readership:
Which concrete Aave governance decisions do you expect this work to materially improve, and how will you measure that? For example, do you have a target number of ARFCs, risk parameter changes, or listings you aim to directly inform over the 12‑month period?

Avoiding overlap with existing risk stack:
You mention that Aave has already commissioned “dashboard work”, but it is not clear which gaps in the current risk/security stack this proposal uniquely covers. How do you avoid duplicating the work done by existing Aave‑funded risk providers (Chaos, former Gauntlet scope, security partners, incident reports, etc.)? A simple mapping of your planned outputs to clearly unmet needs would be very helpful.

Scope vs. budget level:
Given that a significant share of the proposal cost seems associated with media formats and distribution (podcast, video, syndication) rather than directly actionable risk analysis, would you be open to a lower‑budget, research‑first pilot scope (for example, closer to the Rapid track range) and only expanding to the full package if the governance value is clearly demonstrated?

Clarifying these points would make it much easier for delegates to judge whether 75k USDC is the right level of spend for this work versus alternative options like funding independent Aave‑native risk researchers.

1 Like

Hey @MconnectDAO — thanks for pushing on this. Working through your questions in order.

Cost breakdown

Twelve months, $75K USDC total:

  • 6 long-form source-of-truth documents on lending-sector security — $24K ($4K each)
  • 1 video documentary — $18K
  • 1 podcast panel — $4.5K
  • 8 distribution features across X and the newsletter — $4.5K
  • Annual State of Lending Protocol Security report — $12K
  • Project management, quarterly reporting, hub.rekt.news tag maintenance, milestone reviews — $3k / quarter = $12k

$4K per long-form covers genuine investigative depth with several interviews (written or video) to researchers, auditors and contributors.

Governance impact

What we want to build is source-of-truth documents — technical, accessible, common to everyone voting — so any delegate, contributor, or service provider can read one and walk away with a working understanding of a specific topic. The information needed to vote responsibly on collateral and risk decisions isn’t secret but it is scattered across audit PDFs, forum threads, protocol blogs, and incident reports in formats that effectively require power-user familiarity to synthesize.

Done well, this work doesn’t just inform votes — it sparks better ones. Organised, well-sourced editorial gives the community something concrete to scrutinise. That tends to engage adjacent participants who currently sit out of the discussion: security firms, LPs, large lenders and borrowers, integrators evaluating Aave. More voices, more rigour and potentially new ARFCs that surface risks or opportunities the existing process hadn’t reached.

To answer the question directly: we don’t propose to touch risk parameters or author ARFCs ourselves. We engage with the community — via the forum or, where useful, a small standing task force on this initiative — to agree on which topics to cover, write them, share drafts for review, and release when ready. Older pieces stay useful: if a future ARFC benefits from analysis we did six months earlier, the work compounds. The same outputs can support adjacent security work the DAO does — onboarding new auditors, evaluating partners, BD conversations where Aave needs an independent reference to point to.

Trying to push some KPIs, looking at the Risk category over the last ten months, Aave runs roughly 30-40 security-relevant threads per year. Of those 30-40 threads, our scope realistically maps to 8-10 — the ones where consolidated independent editorial actually adds something the existing providers don’t.

Editorial work doesn’t measure cleanly against ARFC counts and we can’t promise to influence specific votes. We can only commit that we release at month 12 a public tracking log of every Aave governance thread or ARFC where the work was referenced and an assessment of which pieces landed and which didn’t. The most honest test of whether this is worth funding is whether the community finds value in the pieces and wants to renew.

Overlap with existing risk stack

ChaosLabs has covered operational monitoring. LlamaRisk covers analytical parameter recommendations. Audit firms cover pre-deployment assurance. Immunefi covers reactive bounty. The gap is the synthesis layer — the work that turns all those inputs into something a non-specialist delegate can read and understand. AlanWestbrook’s L2BEAT-style dashboard proposal in the rsETH ARFC sits in this gap (link); whether or not a dashboard gets built, the documentation layer is needed either way.

Mapping of unmet needs:

  • Public investigative record of fork incidents (Spark, Radiant, Yldr, ZeroLend, etc.) — not covered by Aave’s internal risk providers
  • Architectural narrative on Aave-stack design decisions in the context of sector incidents — not the output format of quantitative risk firms
  • Distribution to the broader DeFi audience and governance-curious readers — outside the scope of dashboard providers
  • Annual sector synthesis as a reference document — nothing equivalent exists today

Lower-budget pilot

The application already includes a $20K Rapid track scope-down (3 long-forms + 4 distribution features + tag + no State of Lending report, no video, no podcast). Happy to start there if delegates prefer to validate the format before committing to the full package. The tranche structure on the full proposal already builds in the same logic — funds release only against shipped deliverables, with a multisig signer verifying existence at each tranche.

Thanks again — happy to drill further on any of these.

— Rekt News team

1 Like

Thanks for the detailed response and for working through my earlier questions. To better evaluate this proposal from a delegate perspective, could you please (i) specify 2–3 concrete success indicators you would consider “must‑have” after 12 months, (ii) briefly outline the governance process you envision for selecting and prioritising topics (for example, open forum signalling vs a small working group), and (iii) share how you plan to handle editorial independence and conflicts of interest, including any disclosure policy if you are simultaneously funded by protocols you investigate…?

Hey @MconnectDAO — great questions, let me do my best to answer.

(i) Must-have success indicators at month 12

Three SMART goals:

  • Delivery on committed scope. All pieces shipped at the depth promised, auditable against the deliverable list and tranche triggers.
  • Independent citation. At least 4 of the 6 long-forms referenced in Aave governance threads, framework discussions, or service-provider reports by people other than us, before month 12.
  • Adoption by the Aave team. Articles or video referenced by Aave contributors in conferences, talks, panels or partner channels during the engagement. If the work holds up well enough that Aave wants to point to it in their own venues, that’s the strongest signal we can ask for.

(ii) Topic selection

A one-off open kick-off where the community suggests topics and broad annual themes get set. After that, the program is managed by a small task force — ideally with members from Aave marketing and engineering joining us (Avara / Aave Labs) — so we have champions who can drive direction, point us to the right references and people, and keep the work aligned with where Aave actually needs the synthesis. Editorial decisions on framing and conclusions sit with Rekt; topic shaping and prioritisation is the part the task force runs together.

(iii) Editorial independence and prior engagements

The editorial independence commitment was in the original proposal and stands — the rigour and publication standards of normal Rekt News stories don’t change because of a partnership; that independence is what defines our work in the first place.

For full transparency: Rekt’s only comparable prior partnership was with Stellar (a research piece plus video on a single topic), and we ran sponsorships for the 2026 Rekt Security Summit in Cannes. Both already public. Any new engagement we close from the ongoing conversations with other DAOs or Companies will be listed publicly.

If Aave incidents occur during this engagement, coverage looks like the March 2026 “Price Impact Kills” — same depth, same independent framing, written the way it would be with or without a grant in place.

— Rekt News team

1 Like

thank you for the detailed and transparent response. The SMART goals, editorial independence commitment, and prior engagement disclosures are well-framed and appreciated.

A few follow-up points

1. Multisig Signer Transparency
The tranche-based release structure is sound, but can you clarify who controls the multisig? Specifically is there an Aave DAO representative as a signer, or does release authority sit entirely with the Rekt team? This is important for treasury accountability.

2. Quality Verification Mechanism
You mention deliverables will be “auditable against the deliverable list” but who independently verifies that the quality standard has been met before each tranche is released? Is there a review body, or does this rest solely with the task force?

3. Conflict of Interest — Fork Protocol Coverage
You’ve listed Spark, Radiant, and ZeroLend as potential coverage targets. If any of these protocols have separately funded or sponsored Rekt News, how will that conflict be disclosed and managed? The current disclosure policy covers Aave-specific engagements but may not address this fully.

4. Early Termination Clause
Is there a mid-engagement exit mechanism if the community feels the work is not meeting expected standards? Or is the only recourse simply not renewing at month 12?

5. Rapid Track vs Full Track
Would the team be open to the community voting on the $20K Rapid Track first as a pilot, before committing to the full $75K engagement? This would lower governance risk significantly and let the work speak for itself.

Hey @MconnectDAO — thanks for this batch of questions.

(1) Multisig signer transparency

Release authority sits with the Aave Grants DAO multisig, not with Rekt. Aave holds funds and at each tranche checkpoint, multisig signers verify deliverables exist and authorise the transfer. Rekt does not co-sign.

(2) Quality verification mechanism

Fair to push on this — the previous reply was light on the quality side. Concrete proposal:

  • The (Aave) task force works with us on every deliverable before each release. If the task-force consensus is that quality is below the agreed standard, the grant is cancelled.
  • Considering the above, everytime Rekt News completes a milestone, the task force can confirm with the Aave Grants DAO signers that all the work was delivered.

(3) Conflict of interest — fork protocol coverage

Same disclosure principle, broader scope. Every Rekt piece during the engagement carries a footer naming every funder with a commercial relationship to any protocol mentioned in that piece. If Spark, Radiant, ZeroLend, or any Aave-fork separately funds Rekt during the engagement, that funding gets disclosed both on the standing partnership page on rekt.news and in the footer of any piece that mentions the funded protocol — including pieces funded by Aave that discuss those forks.

For transparency: as of submission, none of Spark, Radiant, ZeroLend, or any Aave-derived protocol has funded Rekt News. If that changes, it’s disclosed before publication of the next piece touching that ecosystem.

(4) Early termination clause

Yes, there should be one. Two paths in the engagement agreement:

  • Automatic termination on consecutive missed milestones. If the task force determines that the milestone has been missed in substance, the engagement terminates by default and any undisbursed funds remain with the Aave Grants DAO multisig.
  • Community-initiated termination. At any point, a community member can post a substantive concern in the forum. If the community “co-signs” the concern, a termination motion is escalated through the standard Aave Grants DAO governance process. We accept the outcome.

(5) Rapid Track vs Full Track

Yes — fully open to this. Start at the Rapid Track ($20K for 3-4 months) as a pilot, with a renewal review to decide on Full Track expansion. Scope as documented previously: 3 long-forms + 4 distribution features + tag + no State of Lending report, no video, no podcast

Thanks again — these are the right questions to be asking.

— Rekt News team

1 Like

Thank you for the detailed responses so far.

I have one non technical question related to media incentives and investor expectations.

In traditional media, there is always a tension between engagement driven headlines and responsible reporting. Higher engagement often comes from more dramatic or emotional framing of news. At the same time, this can influence how readers perceive risk and take decisions.

Since Rekt News is a media style service and will be funded by the Aave ecosystem, how do you think about this trade off in your editorial policy for Aave coverage. If a community member or investor feels that a specific article created unnecessary fear or hype and they took a loss because they reacted to that narrative, what is your position in such a scenario.

More concretely

Do you have internal guidelines that limit sensational framing, price sensitive language or fear driven narratives when covering protocols that fund your work.

How clearly do you communicate that your content is informational only and not advice, and that readers are fully responsible for their own decisions.

Is there any role for the Aave side task force or a review group to check that funded coverage follows a minimum standard of responsible communication.

I am asking this because the proposal already covers conflict of interest and termination conditions, but I think editorial responsibility and narrative risk are also important for a security focused media partner.

Hey @MconnectDAO , fair question. Let me answer directly.

On the Rekt voice

Rekt headlines are dramatic because the events are dramatic. Billion-dollar hacks, structural failures, multi-year vulnerability classes. But Rekt does not publish price predictions, buy / sell calls, or position recommendations. The content is post-mortem and threat-model work, not investment commentary.

The funded scope (retrospectives, primers, pattern docs) sits even further from the dramatic tone. For a concrete example of what funded Rekt research looks like, see this Stellar Development Foundation-funded research piece: rekt.news/research/transparent-when-you-want-it. Structural analysis. Sourced. No price targets, no buy / sell framing. That is the tone the Aave scope sits in.

Direct answers to your three questions:

(1) Internal guidelines for sensational or price-sensitive framing

Yes. For all our pieces we commit to:

  • No price targets, no price levels, no buy / sell / accumulate framing
  • No claims about future protocol or token performance
  • Framing must be justified by the underlying facts, not by engagement potential

(2) Communication that content is informational only

We can add a footer making clear the content is informational only, not financial advice and that readers are responsible for their own decisions. This sits alongside the funder disclosure (Aave Grants DAO engagement). The Rekt site already has standing disclaimers; the funded scope makes it explicit at piece level.

(3) Task force role on responsible communication

Yes, with a clear boundary:

  • Before publication: task force can flag responsible-communication concerns alongside factual concerns. Substantive concerns pause publication for revision.
  • After publication: substantive community complaints about framing trigger a task force review. The response is documented and posted in the governance thread.
  • Boundary: the task force cannot ask us to change conclusions or soften findings that are accurate. Editorial decisions on what the piece concludes stay with Rekt. Editorial decisions on how aggressively it is framed are open to task force input.

__Rekt News team

1 Like

In addition to editorial responsibility, I have one more concern around data security and information handling.
If Rekt becomes an official security media partner, there is a possibility that over time you may receive sensitive or time‑critical information (for example, early details of incidents, non‑public risk findings, or coordinated disclosure material).

Do you have any concrete policies or internal controls for:
– Protecting such information from leaks or unintended disclosure
– Ensuring it is not used for trading, private advantage, or sensational “breaking” coverage that could harm Aave
– Coordinating with Aave security / task force on when and how sensitive findings are published

In other words, is there a defined data‑governance or confidentiality framework for Aave‑related information, beyond the general editorial guidelines you already described…?

Hey @MconnectDAO

Scope clarification

The funded engagement does not give Rekt access to confidential data, internal Aave incident response, code review material or coordinated disclosure information. We do not expect or require it.

Information flow is one-way and Aave-controlled. Rekt drives interviews and works with the task force on topic prioritisation. What enters a piece is what Aave contributors choose to share on-record for that piece, in alignment with the task force. Confidential material that could be harmful to Aave if leaked should stay inside Aave. It does not need to come to Rekt, and the scope does not require it.

The framing of “official security media partner with access to coordinated disclosure material” is not what this engagement establishes. Rekt is a journalism outlet writing about public security topics, with task-force-aligned editorial input on what Aave wants documented.

Direct answers to your sub-questions, with this scope in mind:

(1) Leak protection

Any material Aave chooses not to share does not leak through Rekt, because it never reaches Rekt. For material that does enter the editorial process (interview notes, on-record context, working drafts):

  • Working materials are not shared outside the editorial team handling the piece.
  • No public discussion of any in-progress piece until publication.
  • Source confidentiality where sources request it.
  • Open to a scoped NDA covering specific material the Aave task force flags as confidential at the time of sharing.

(2) Trading and private advantage

  • Rekt News editorial team members do not take positions in tokens of any protocol covered under a funded engagement, during the engagement period and for 90 days after publication. Covers AAVE, stkAAVE, GHO and other Aave ecosystem tokens.
  • The surface for trading-on-undisclosed-information is constrained structurally: no confidential information enters Rekt’s editorial process unless Aave shares it on-record for a specific piece, with task-force alignment.

(3) Sensational “breaking” coverage

Incident coverage is editorially independent from the funded scope, as already documented. Responsible-disclosure timing applies: live exploits are not covered in a way that exposes ongoing vulnerabilities, and post-mortem coverage waits for affected parties to confirm the vulnerability is contained. Bybit and Stream Finance were timed this way.

Code-level or internal-logic detail beyond what the affected team chooses to share publicly is not part of Rekt’s coverage. We work with the public record. If Aave engineering shares architecture context for a funded piece, the task force decides what is shareable and what stays internal.

(4) Coordination on publishing

For funded scope: the task force is part of topic prioritisation and pre-publication review, as already documented. For any sensitive material, the task force decides whether it is shareable and on what terms before it enters a draft. The default is that internal Aave information stays inside Aave.

For incident coverage (outside funded scope): we confirm facts with the affected team before publication where possible. We do not coordinate timing or framing, and we do not delay coverage based on the protocol’s preferences. Code-level or internal detail not on the public record is not used.

If the Aave Grants DAO or task force wants to formalise specific aspects (scoped NDA for particular materials, position-trading restriction language, embargo handling), happy to draft those into the engagement agreement.

__Rekt News team

1 Like

Final question from my side, which is important for me before I can fully support this:
You have outlined strong safeguards around trading restrictions, use of non‑public information, and editorial independence for incident coverage. Would you be open to (a) formalising these specific safeguards as explicit clauses in the engagement agreement, and (b) working with the Aave Grants / legal team to define a clear termination and, if appropriate, clawback mechanism in case a material breach is proven?
Clarifying this would give delegates much higher confidence that the excellent intent you described is also enforceable in practice.

Yes to both.

We agree on (a) formalising the safeguards as explicit clauses in the engagement agreement, and on (b) defining termination and clawback for material breach.

Our legal counsel can work with the Aave Grants / legal team to translate the commitments described across this thread into contract language. This will cover items such as:

  • Editorial team position-trading restriction
  • Stake Capital portfolio disclosure (already public at stake.capital, referenced as the disclosure surface)
  • Non-public information handling and scoped NDA mechanism
  • Editorial independence for incident coverage
  • Funder disclosure on every funded piece
  • Termination and pro-rata clawback for material breach proven on evidence

One ask on next steps

For the vote stage, would you (or any delegate reading this thread with the required voting power) be willing to act as champion to submit the proposal on the Aave Snapshot space? We are happy to coordinate on the final framing, timing, and any pre-vote alignment with the Aave Grants team.

Ready to move forward.

__Rekt News team

1 Like

Thank you for the clear response and for agreeing to formalise these safeguards in the engagement agreement.

From my side, this fully addresses the concerns I raised during the discussion phase. As a next step, I would suggest updating the main proposal text to explicitly include the points you listed here (trading restrictions, portfolio disclosure, handling of non‑public information, editorial independence, funder disclosure, and termination / clawback in case of material breach).

Making these safeguards visible in the proposal itself should make it easier for delegates and community members to support it, or raise any remaining questions before moving to Snapshot. Once that is done, I believe the proposal will be in a strong position to move to the next stage.

1 Like

Aave Proposal — FINAL CONSOLIDATED VERSION

Status: Final, post 6 rounds of community Q&A on Rekt News — Aave Ecosystem Security Coverage . Default route: Rapid Track $20K for 6 months (pilot), with renewal review at month 6 for Full Track ($75K, 12 months) expansion.


[Pre-Snapshot] Rekt News — Aave Ecosystem Security Coverage (Final Version)

Submitter and contact

  • Submitter entity: Rekt News
  • Operating entity: Rekt News
  • Working contact: Diogo Patão, Operations, diogo@rekt.news.
  • Editorial contact: Flex, Investigative Journalist, Flex@rekt.news.

Brief description

Independent editorial coverage of the Aave ecosystem and the broader lending protocol category. Structured as a 6-month Rapid Track pilot ($20K USDC) with renewal review at month 6 for Full Track expansion ($75K total, 12 months).

Rapid Track output: 3 long-form pieces on lending-sector security topics (final selection from a candidate list in task force planning with Aave DAO / Aave Labs / Aave Grants contributors), 1 mid-engagement briefing, and a dedicated Aave ecosystem security tag on hub.rekt.news. Topic prioritisation collaborative; framing, conclusions and incident coverage stay editorially independent.

Project category

Security / Public Goods / Ecosystem Education

Requested amount

  • Primary route — Rapid Track pilot: 20,000 USDC for 6 months.
  • Optional renewal — Full Track: 75,000 USDC for 12 months total, conditional on Rapid Track delivery and community renewal vote at month 6.

Why this benefits Aave

Aave is in the middle of a structural transition. V4 launched on Ethereum mainnet on March 30, 2026, introducing the Hub & Spoke architecture. BGD Labs ceased contributions on April 1, 2026 with the security retainer expiring June 1. Chaos Labs departed as a risk service provider in April 2026, with LlamaRisk absorbing the scope alongside Aave Labs and building protocol-owned risk infrastructure on Chainlink Runtime Environment. Aave Horizon is scaling the RWA vertical. The Aave Foundation has been formally established.

This is the most architecturally consequential moment in Aave’s history, and the documentation layer has not kept pace with it. ChaosLabs (historically) and LlamaRisk cover operational monitoring and parameter analytics. Audit firms cover pre-deployment assurance. The gap is the synthesis layer: editorial work that turns the architectural shifts, incident lessons, and risk-stack evolution into reference documents a non-specialist delegate can read and understand.

This proposal funds Rekt to produce structured, evergreen reference pieces anchored on what is actually happening in Aave right now, organised on rekt.news and hub.rekt.news under a dedicated tag. The work is reference material that lives alongside the real-time risk work the DAO already commissions and gets pulled back into relevant governance discussions when applicable.

Independent voices documenting architectural decisions and incident lessons across the lending sector position Aave as the architectural reference point in the category. That positioning is materially more credible when written by an independent publication than when stated by Aave itself.

Goals

  1. Produce structural reference documentation of Aave-ecosystem security architecture, risk-stack evolution and lending-sector incident patterns over the engagement window.
  2. Establish a discoverable archive on rekt.news and hub.rekt.news under a dedicated Aave ecosystem security tag, used by delegators, builders, auditors and integrators.
  3. Build a body of reference pieces that get cited and linked back into Aave governance discussions when relevant ARFCs surface.
  4. If renewed at month 6: deliver Full Track scope including additional long-forms, an annual State of Lending Protocols report, plus video documentary and podcast formats for cross-community distribution.

Editorial scope, task force, and independence

Task force. Topic prioritisation, scope-planning and pre-publication review happen through a task force composed of: (i) Aave delegate(s), service-provider rep(s), and Aave Labs / DAO contributors who handle marketing and communications, as designated by the Aave Grants DAO; and (ii) Rekt News editorial representatives. Where useful, named technical reviewers (auditor or academic from the Aave-adjacent network) may be invited to pre-publication review of anchor pieces for factual accuracy and analytical rigour, explicitly not for framing or conclusions.

Editorial firewall. Editorial decisions on framing and conclusions sit with Rekt News. The funded scope is educational and reference work, not advocacy. The task force can flag responsible-communication and factual accuracy concerns; the task force cannot require changes to conclusions or soften findings that are accurate.

Incident coverage independence. Coverage of security incidents affecting Aave or any lending protocol in the category is treated separately from the funded educational scope and is not subject to collaborative input. Incidents are covered with the same depth and editorial independence applied to existing Rekt work in the category. We commit to this regardless of partnership status.

Information handling and data security

The funded engagement does not give Rekt access to confidential Aave data, internal incident response, code review material, or coordinated disclosure information. We do not expect or require it.

Information flow is one-way and Aave-controlled. Rekt drives interviews and works with the task force on topic prioritisation. What enters a piece is what Aave contributors choose to share on-record for that piece. Confidential material that could be harmful to Aave if leaked should stay inside Aave. It does not need to come to Rekt, and the funded scope does not require it.

For material that does enter the editorial process (interview notes, on-record context, working drafts):

  • Working materials are not shared outside the editorial team handling the piece.
  • No public discussion of any in-progress piece until publication.
  • Source confidentiality where sources request it.
  • Open to a scoped NDA covering specific material the Aave task force flags as confidential at the time of sharing. NDA scope does not extend to general editorial output.

Code-level or internal-logic detail beyond what the affected team chooses to share publicly is not part of Rekt’s coverage. We work with the public record.

Conflict of interest and disclosures

  • Editorial team position-trading restriction. Rekt News editorial team members do not take positions in tokens of any protocol covered under this funded engagement during the engagement period and for 90 days after publication of the relevant piece. For the Aave engagement this covers AAVE, stkAAVE, GHO, and other Aave ecosystem tokens.
  • Funder disclosure on every funded piece. Every Rekt piece under this engagement carries a footer disclosing the Aave Grants DAO engagement. The standing partnership page on rekt.news lists every funded engagement publicly.
  • Fork protocol coverage disclosure. Every piece carries a footer naming every funder with a commercial relationship to any protocol mentioned in that piece. As of submission, none of Spark, Radiant, ZeroLend, or any Aave-derived protocol has funded Rekt News.
  • Per-piece informational disclaimer. Every funded piece carries a footer making clear the content is informational only, not financial advice, and that readers are responsible for their own decisions.
  • No prior Aave engagement. Rekt News has not been previously funded by Aave Grants DAO, Aave Companies, Aave Labs, the Aave Foundation, or any Aave ecosystem entity.

Editorial standards (responsible communication)

For funded pieces under this engagement:

  • No price targets, no price levels, no buy / sell / accumulate framing.
  • No claims about future protocol or token performance.
  • Framing is justified by the underlying facts, not by engagement potential.
  • Internal standard before publication: would this framing hold up if a reader without prior crypto exposure read it cold? If not, it is revised.

For a concrete example of the funded-research register, see rekt.news/research/transparent-when-you-want-it — a Stellar Development Foundation-funded research piece. Structural analysis. Sourced. No price targets, no buy / sell framing. That is the register the Aave scope sits in.

Deliverables — Rapid Track pilot (6 months, $20K)

All deliverables published openly on rekt.news under standard editorial terms. Public URLs reported at each tranche.

1. 3 long-form pieces on lending-sector security topics.

Final topic selection in task force scope-planning with Aave DAO / Aave Labs / Aave Grants contributors. Candidate topics (5 options grounded in active Aave governance discourse, final list to align with Aave priorities):

  • Aave’s risk infrastructure transition: from third-party dependency to protocol-owned CRE. Why the Chaos Labs departure exposed a structural vulnerability, what protocol-owned risk infrastructure on Chainlink Runtime Environment actually changes, how LlamaRisk and Aave Labs are rebuilding the risk layer with cryptographic workflow verification, and what this means for institutional confidence in Aave’s risk function.

  • The post-BGD Labs security stack for V4. What gaps BGD’s departure created in V4 security tooling (Hub & Spoke attack surface, Position Manager layer, cross-Hub desync, oracle staleness, flash loan position manipulation), what’s being proposed to fill them (AaveShield-style modular frameworks among others), and where the protocol stands today.

  • Aave V4 architecture in the context of V3 incident lessons. Hub & Spoke architecture, Credit Lines, Reinvestment Controller, Umbrella coverage logic. How V4 responds to V3 incident classes (the March 2026 wstETH CAPO oracle failure, oracle composability, isolation mode edges, liquidation cascade dynamics, GHO peg mechanics). Where residual risk sits.

  • Aave Horizon and the RWA frontier. The bounded dynamic NAV model (LlamaGuard), the architectural risks of bringing tokenised equities and long-duration credit into a lending protocol, the liquidator spoke proposal, and what RWA-native parameter spaces require. Forward-looking architectural reference piece.

  • The rsETH incident and LRT collateral risk in lending markets. Architectural retrospective on the rsETH incident, the Aave DAO response, and the broader question of LRT collateral handling and contagion across the lending category.

These are structural, forward-looking reference pieces grounded in active Aave governance threads. Each piece is evergreen and gets organised under the Aave ecosystem security tag on hub.rekt.news for use by delegates, contributors, and integrators in relevant governance discussions.

2. 1 mid-engagement briefing at month 3.

Synthesis document covering the lending-sector security landscape over the first 3 months of the engagement, plus a working note on which long-forms are in production and progress to date.

3. Dedicated Aave ecosystem security tag on hub.rekt.news.

Aggregating all funded coverage plus pre-existing Aave-relevant pieces from the Rekt archive. Maintained through the 6-month engagement and beyond.

How the long-forms get used in governance (clarification)

Rekt’s editorial workflow produces evergreen reference pieces, not on-demand explainers tied to specific upcoming votes. The model is:

  • Rekt publishes the long-form on the agreed topic on rekt.news and hub.rekt.news organised under the Aave tag.
  • When a relevant governance discussion (forum thread, ARFC, Snapshot) touches a topic Rekt has documented, the piece is referenced and linked by community members, the task force, or Rekt itself.
  • This creates a reference layer that compounds over time. A piece published in month 2 can still be the primary reference for an ARFC in month 8 or month 15.

This is materially different from “pre-vote primers triggered by upcoming votes”. The reference layer is what delegates use, and the long-form discipline is what Rekt is built to deliver.

Deliverables — Full Track renewal (optional, +6 months, +$55K = $75K total)

If the Rapid Track delivers and the community votes for renewal at month 6, the engagement extends to 12 months total. Full Track adds:

  • 3 additional long-form investigations (6 total over 12 months)
  • 1 video documentary on lending protocol security
  • 1 podcast panel with security researchers, auditors, and contributors as guests
  • 8 distribution features total across newsletter (~30K subscribers) and X (@RektHQ, ~280K followers)
  • Annual “State of Lending Protocols” report published at month 12
  • Continued maintenance of the Aave ecosystem security tag on hub.rekt.news

Strategic partnership with TheDefiant (optional, Full Track only). Rekt holds a strategic content partnership with TheDefiant (~327K X followers, ~130K YouTube subscribers). If Aave Grants DAO sees value, the video documentary or podcast panel under Full Track renewal can be co-produced for cross-community distribution.

Verification, tranches, quality controls

Tranche structure for Rapid Track ($20K, 2 tranches):

  • T0 (signing) — 10,000 USDC. Triggered by application approval, signed engagement agreement, and task force composition confirmed.
  • T1 (month 6) — 10,000 USDC. Triggered by: 3 long-forms published; mid-engagement briefing published; Aave ecosystem security tag live and indexed.

Multisig structure. Release authority sits with the Aave Grants DAO multisig. At each tranche checkpoint, designated multisig signers verify deliverables and authorise the transfer. Rekt does not co-sign; we receive after the multisig signs.

Verification. Deliverables are auditable against the deliverable list. The task force reviews quality before each tranche release. If task-force consensus is that quality is below the agreed standard, tranche is paused and the work is revised before release.

Public objection window. A 7-day public objection window sits before every tranche transfer. Any community member can flag quality or factual accuracy concerns in the governance forum. Substantive concerns trigger a task-force review and may pause release pending resolution.

Termination and clawback

  • Automatic termination. Engagement terminates by default if the task force determines that the checkpoints have been missed in substance. Any undisbursed funds remain with the Aave Grants DAO multisig.
  • Community-initiated termination. A community member can post a substantive concern in the governance forum. If the community co-signs the concern, a termination motion is escalated through standard Aave Grants DAO governance. The outcome is accepted by Rekt.
  • Clawback for material breach. Triggers limited to breach proven on evidence, not allegation. Examples: proven editorial team trading in restricted tokens during the restriction window; proven leak of material flagged confidential at time of sharing; proven coordination on incident coverage in violation of editorial independence. Scope: undisbursed funds stay with the Aave Grants DAO multisig; for disbursed funds, clawback applies pro-rata to deliverables tied to the breach. Process: task force reviews evidence, escalates to Aave Grants DAO governance for enforcement.

Formalisation in engagement agreement

The safeguards in this proposal shall be formalised as explicit clauses in the engagement agreement. Rekt’s legal counsel will coordinate with the Aave Grants legal team on the draft. Items covered include the editorial team position-trading restriction, non-public information handling and scoped NDA mechanism, editorial independence for incident coverage, funder and fork-protocol disclosure, editorial standards, per-piece informational disclaimer, termination triggers and pro-rata clawback for material breach.

Reporting and accountability

  • Public report at each tranche on hub.rekt.news listing all deliverables shipped with public URLs.
  • On-chain transparency: every tranche reported with receiving address and tx id.
  • End-of-engagement retrospective at month 6 (Rapid Track) and month 12 (if Full Track renews): public write-up of what worked, what didn’t and what we recommend for similar future partnerships.

Why USDC

USDC keeps the funding politically neutral. No implicit ties to AAVE token price during the engagement, no perceived conflict in coverage of AAVE-token-related events.

What this is not

This proposal funds educational and reference content, not promotion. This is not paid for favorable coverage. This is not a content partnership where Aave has approval rights over framing, conclusions or coverage of security incidents. This is not a retainer for media access. This is not an embedded security partnership with access to internal incident response or coordinated disclosure material.

Past work / Track record

Rekt News has operated since 2020 as an independent investigative publication covering DeFi security. ~280K X followers (@RektHQ), 30K+ newsletter subscribers, ~42K monthly readers. Routinely cited by audit firms, governance forums and security researchers. Over 100 long-form post-mortems in the last 12 months covering incidents totalling billions in user losses.

Recent direct Aave-stack coverage:

  • “Price Impact Kills” (March 2026, rekt.news/price-impact-kills): wstETH CAPO oracle incident + CoWSwap solver routing $50M into a $73K pool for 327 AAVE out.
  • “KelpDao - Rekt” (April 2026, rekt.news/kelpdao-rekt): $290M LayerZero bridge compromise, contagion across lending markets including Aave’s exposure.

Sector flagship — Stream Finance / xUSD pre-mortem and post-mortem:

  • “House of Cards” (October 2025, rekt.news/house-of-cards): pre-mortem on recursive minting, published weeks before $93M xUSD collapse and the resulting $285M contagion across lending markets.
  • “The Loop Contagion” (November 2025, rekt.news/loop-contagion): cross-protocol contagion mapping across Morpho, Euler, Compound, Lista DAO.

Architectural pattern coverage in the lending category: “Euler - Rekt” (2023), “Makina - Rekt” (Jan 2026), “Moonwell - Rekt”, “Sturdy Finance - Rekt” (2023).

Funded research register reference: “Transparent When You Want It, Private When You Need It” (rekt.news/research/transparent-when-you-want-it), Stellar Development Foundation-funded research piece. Demonstrates the funded-research register applied to a sponsored engagement.

Other public-facing work: Rekt Security Summit Cannes 2026 (summit.rekt.news, 40+ speakers including Aave, Ethereum Foundation, Certora, Nethermind, Trail of Bits, Immunefi, Cyfrin, Hypernative, Aragon, Curve, Gnosis VC).

Open Questions for the community

  • Snapshot champion: would any delegate reading this thread be willing to act as champion to submit the proposal on the Aave Snapshot space? Rekt News does not currently hold the voting power required to submit (1,600 AAVE/stkAAVE minimum).
  • Task force composition: which Aave delegate(s), service-provider rep(s), and Aave Labs / DAO contributor(s) would join the task force?
  • Topic selection: of the 5 candidate topics listed under the Rapid Track deliverables, which 3 align best with current Aave DAO priorities? Or are there other structural topics (Aave Foundation governance evolution, USDe / yield-bearing asset risk, Pendle PT exposure, others) that fit better right now?

Copyright

All Rekt output under this engagement is published under standard editorial terms on rekt.news (open access, no paywall). Copyright and related rights on the published output are managed by Rekt News under its standard publication terms.

1 Like