BlackHartBlackHart
Scores/Aave V3

Aave V3

MITHRIL

Lending / Borrowing · Multi-chain · $15B+ TVL · 30 contracts

Official site: aave.com

886
3004756508251000
Confidence87%
Z-Factor0.87
Updated 2026-05-27Public score

Security Profile

Access Ctrl
90
Economic
91
Oracle
85
Compos.
78
Govern.
92
Maturity
95
Resilience
96
Supply Ch.
90
OpSec
55
Cascade
55
Min
55
Avg
83
Max
96

Audit History

Trail of Bits
2022-01Report
Certora (Formal Verification)
2023-01Report
Sigma Prime
2022-01Report
Peckshield
2022-01Report

Bug Bounty Program

$1,000,000
Max payout on Immunefi
View Program

Assessment

Gold standard lending protocol. Zero validated findings, 38-month V3 track record, org since 2017. IRRATIONAL game equilibrium confirms no profitable deviation. 880 reflects massive structural surface area (991 nodes, 2601 edges) balanced by exceptional defense depth. Near-ADAMANTINE but Chainlink dependency and flash loan callback surface prevent top tier.

Dimension Breakdown

Methodology
Access Control
Weight 18% · 88% confidence
90
+188 modifiers: ifAdmin, onlyPoolConfigurator, onlyPoolAdmin, onlyPositionManager, onlyUmbrella, initializer, onlyPool
+18Internal check functions: _onlyPoolConfigurator, _onlyPoolAdmin, _onlyPositionManager
+18Role-based ACL: hasRole, getRoleAdmin, grantRole, revokeRole, renounceRole
+18958 function authority entries in graph
Provenance
Economic Soundness
Weight 13% · 90% confidence
91
+15Health factor model: calculateUserAccountData with 15 call edges (thorough validation)
+15validateBorrow: 24 call edges (most complex validation function)
+15validateLiquidationCall: 15 call edges checking health factor thresholds
+15Flash loan exists: FLASHLOAN_PREMIUM_TOTAL, FLASHLOAN_PREMIUM_TO_PROTOCOL (fee-configurable)
Provenance
Oracle Integrity
Weight 13% · 85% confidence
85
+21ADDRESSES_PROVIDER (immutable): oracle indirection via provider pattern
+21RESERVE_INTEREST_RATE_STRATEGY (immutable): externalized rate computation
+21getReserveNormalizedIncome, getReserveNormalizedVariableDebt: internal oracle functions
+21eMode categories add oracle complexity (10 writers to _eModeCategories)
Provenance
Battle-Tested Maturity
Weight 12% · 95% confidence
95
+19V3 live since March 2023 (38 months), V2 since 2020, V1 since 2020, org since 2017
+19Zero protocol-level exploits across any version
+19Multiple audit firms, continuous auditing program
+19Formally verified core contracts
Provenance
Governance & Upgradeability
Weight 10% · 90% confidence
92
+18Timelocked governance execution via external governance contracts
+18onlyPoolConfigurator gates: initReserve, dropReserve, setConfiguration, updateFlashloanPremium, configureEModeCategory*
+18onlyPoolAdmin gates: syncIndexesState, syncRatesState, setLiquidationGracePeriod, rescueTokens, eliminateReserveDeficit
+18onlyUmbrella: specialized insurance/umbrella operations
Provenance
Adversarial Resilienceredacted
Weight 10% · 95% confidence
96
  • Score derived from continuous adversarial security research
Provenance
Operational Security
Weight 10% · 60% confidence
55
-45No branch protection detected
+11Active CI/CD (100% success rate)
+11Commit signing: 88% verified
+11Minimal development activity (0 commits/month)
Provenance
Compositional Risk
Weight 5% · 82% confidence
78
+161019 call edges show high internal composition complexity
+16Top fan-out: mint(28), validateBorrow(24), initialize(23), executeFlashLoan(22)
+16Flash loan callback: executeOperation creates cross-boundary composition
-223 composition type errors: FL->_handleFlashLoanRepayment(missing R), getSiloedBorrowingState->isBorrowingOne
Provenance
Cascade Exposure
Weight 5% · 90% confidence
55
+18Appears in 9 cross-protocol cascade chain(s)
+18Member of 9 dependency cluster(s)
+18Source: cross_protocol_composition.json dependency analysis
Provenance
Supply Chain
Weight 4% · 92% confidence
90
+22OpenZeppelin libraries (industry standard)
+22Modern Solidity versions, regularly updated
+22Verified on all deployment chains
+22Professional dependency management
Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Operational Security
55+36.1 potential
No branch protection detected
Cascade Exposure
55+17.8 potential
Appears in 9 cross-protocol cascade chain(s)
Oracle Integrity
85+12.5 potential
ADDRESSES_PROVIDER (immutable): oracle indirection via provider pattern
Access Control
90+11.2 potential
8 modifiers: ifAdmin, onlyPoolConfigurator, onlyPoolAdmin, onlyPositionManager, onlyUmbrella, initializer, onlyPool
Compositional Risk
78+7.3 potential
3 composition type errors: FL->_handleFlashLoanRepayment(missing R), getSiloedBorrowingState->isBorrowingOne

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Deployed 2023-03-1610 dimensionsProvenance Ledger
methodology v2.1formula v1.1weights v1.1evidence sha256:sha256:c...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug
"aave-v3"
Oracle
BRORegistry (Base)
Evidence
IPFS (pinned)
Staleness Threshold
24 hours
Read Score
registry.getScore("aave-v3")
Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View PlansMethodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public
Style
Theme
Format
Preview
Copy iframe code
<iframe
  src="https://blackhart.io/embed/oracle/aave-v3?variant=card&theme=dark"
  title="BlackHart Risk Index: Aave V3"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>
Believe this score contains a factual error? Submit evidence for review