Aave Labs Proposes Dedicated Bug Bounty Program for Aave V4 With Sherlock

• Aave Labs has published a proposal for a dedicated bug bounty program for a 24/7 channel to report security issues.
• High-priority submissions require participants to stake at least 250 USDC, which is forfeited if the report is invalid or deemed spam.

Aave Labs has published a proposal to launch a new dedicated bug bounty program for its v4 on Sherlock’s security platform for DeFi protocols.

The proposal aims to establish a channel to report any security concerns on the DeFi platform as it transitions to the fourth version (v4) of its protocol. The Labs says that Sherlock has been working with the community to audit the current v3 protocol and was used for early v4 testing. This translates to shared reporting standards and escalation paths for all parties.

Founder Stani Kulechov noted that bug bounties have been an important part of the network’s security strategy. He also praised the Sherlock team for its expertise in managing previous bug bounty programs and security contests.

On its part, Sherlock expressed support for the proposed program, adding, “Always-on coverage, structured triage, and clear escalation for high-severity reports as V4 ships and scales. Aave’s commitment to security stays constant.”

Aave’s 250 USDC Stake to Prevent Spam

The bug bounty program will be limited to the Aave v4 repositories and deployed contracts. Any expansion or migration of other programs would need a separate governance poll.

Participants can hand in medium- or low-priority submissions at will. However, they cannot upgrade these to upper-tier submissions even if they expand in scope to ensure they pay enough attention to the original classification.

The high-priority and critical submissions, which receive heftier payouts, will be limited to users who stake 250 USDC. If the submission is valid, the stake is returned together with the payout. If invalid, the stake is forfeited to pay for triage costs. This is intended to prevent spam where participants classify all submissions as high-priority to take a shot at the higher payout.

For high-priority submissions, Aave’s designated security team members are instantly notified via Telegram and Slack to respond immediately. The lower-priority submissions are assessed by an AI program working alongside human reviewers.  Only the reports deemed higher-quality will be submitted for review.

Aave Labs conceded that while the 250 USDC staking will reduce spam, it could put off some genuine researchers from submitting high-priority security concerns. To mitigate, it intends to keep the medium-priority tier free and to prioritize experienced researchers using this tier.

It also acknowledged that by barring the re-classification of medium submissions to high-priority, it would punish misclassified submissions. It intends to publish an extensive guide as part of the program launch materials.

The proposal comes weeks after a dispute between Aave Labs and BGD Labs imploded, with the latter announcing its departure at the end of this month. BGD, which was contracted by the Aave DAO to cater to security and technical issues, says the Labs has frustrated its efforts to advance the protocol.