Aave cooperates with forks following vulnerability

When Aave found a vulnerability in its code, multiple projects inherited the security flaw

article-image

Akif CUBUK/Shutterstock modified by Blockworks

share

DeFi lending protocol Aave is a popular candidate for “forking,” whereby developers take open-source code and launch a spinoff. 

But when its bug bounty program unearthed a potential vulnerability in Aave’s code, the exploit route wasn’t made public. 

Aave’s council of community guardians froze certain assets and markets on Aave after learning of the bug on Nov. 4. 

Over the following week, Aave DAO’s service provider bgdlabs made proposals to disable stable rate borrowing and end the minting of stable debt where borrowers would pay fixed rates in the short term that could be rebalanced later.

Aave lending markets returned to normal on Nov. 13 after the proposals were executed. But what about the forks that inherited Aave’s apparently exploitable code?

Bgdlabs wrote in a forum post that it had reached out to every Aave fork to offer advice on protection measures after the vulnerability came to light. At least three dozen projects have launched as spinoffs of Aave V2 or V3’s public code, per DeFiLlama.

“This is something that you see in computer security a lot,” said Luke Youngblood, founding contributor at the Moonwell lending protocol. “Say Apple or Google needs to tell smartphone manufacturers or other vendors in the space about a vulnerability that impacts their software or their solutions. They have to do this in a confidential way so that they don’t alert the hackers to where the hole is before it can be patched.”

The two largest Aave forks by total value locked (TVL), Spark and Radiant, both worked with Aave to double-check code for vulnerabilities, Marc Zeller, the founder of delegate platform Aave Chan Initiative, told Blockworks. 

Of the other forks, several posted on X that the platforms weren’t at risk — including Moola, which paused twice and removed its stable borrow function as Aave dealt with the vulnerability.

Bgdlabs said on Aave’s forum that it was helping Aave forks patch their code in keeping with DeFi’s communitarian ethos. 

“Even if we don’t have any responsibility to them (we are not providing services), we think the Aave community should show good values, as leaders in the space,” bgdlabs said of the forks.

Shira Brezis, co-founder of the DeFi risk and security firm Redefine, said Aave’s cooperation is par for the course in DeFi, noting that she’s in a group chat with some of her own company’s competitors. 

And perhaps the goodwill trends both ways — last week, Maker, of which Spark is a subDAO, passed a proposal to share some of Spark’s revenue with Aave. 

Aave also stands to gain from not seeing forks succumb to exploits.

“When users lose funds, it’s a bad outcome for everyone in the DeFi space. It makes people think crypto is insecure and makes them think it’s a hotbed for hackers,” Youngblood said.

In a Telegram message, bgdlabs’ co-founder Ernesto Boado said an eventual public disclosure of Aave’s code weakness “depends on different factors” and that their team “tried our best to notify forks” about the vulnerability.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research

article-image

Hunter Horsley says Solana is one of this cycle’s breakout successes that he thinks clients will want to access

article-image

SOL has climbed more than 2,000% in the past two years

article-image

MicroStrategy founder Michael Saylor alluded to Marathon’s CEO during a X Spaces on Tuesday

article-image

Crypto’s calls are equally as juiced as puts, creating a “smile” in the volatility surface

article-image

Turns out that owning the end-user via a crypto wallet is quite a prosperous business

article-image

The announcement followed growing speculation that Gensler would announce his exit before Trump takes office next year