Aave Labs has unveiled a proposal for a dedicated bug bounty program for its upcoming V4 protocol, to be managed on Sherlock's security platform. The program aims to establish a 24/7 channel for reporting security issues as the DeFi lending giant transitions to its fourth major iteration. Founder Stani Kulechov emphasized that "bug bounties have long been an important part of Aave's security strategy," praising Sherlock's expertise in managing such programs.
The proposed structure includes a unique staking mechanism for high-priority submissions. Participants reporting critical or high-priority issues must stake at least 250 USDC. This stake is returned with the bounty payout for valid reports but is forfeited to cover triage costs if the submission is deemed invalid or spam. This is designed to prevent participants from classifying all submissions as high-priority to chase larger payouts. Medium- and low-priority submissions remain free to submit.
The announcement coincides with the exposure of a rounding error vulnerability in the current Aave V3 core code (prior to version 3.5) by HypurrFi, a lending market on Hyperliquid's HyperEVM. HypurrFi discovered the bug through its internal monitoring system and immediately paused new deposits and borrowing in affected markets (XAUTO and UBTC) to protect user funds, while allowing withdrawals and repayments. The platform, which holds $26.5 billion in user deposits, is now working with Aave deployers and security researchers to address the issue and has warned other Aave fork projects.
This vulnerability discovery casts a shadow over Aave's security narrative, coming just days after Aave Labs published a comprehensive security report for V4. That report, covering a year-long review from March 2025 to February 2026, involved 345 review days with audit firms Certora, ChainSecurity, Trail of Bits, and Blackthorn, plus over 900 independent researchers in a Sherlock contest. Aave Labs claimed "no critical or high-severity vulnerabilities were found" in V4.
The security developments unfold against a backdrop of significant internal strife within the Aave ecosystem. BGD Labs, contracted by the Aave DAO for security and technical work, recently announced its departure, citing frustration with Aave Labs' efforts. Similarly, ACI (Aave Chan Initiative) has stated it will not renew its contract, with founder Marc Zeller criticizing the "Aave Will Win" proposal that granted Labs around $51 million in funding. Zeller alleged the proposal passed due to approximately 233,000 AAVE from Labs-linked addresses, including 111,000 allegedly delegated by Stani Kulechov.
Both departures point to a central conflict: frustration over Aave Labs' push to migrate users from V3 to V4, with accusations that Labs is artificially constraining V3 development to promote its successor.
