Aave V4 Drafts Sherlock, Flexes a $365K Contest, and Keeps the Bug Bounty on Life Support

Aave has enlisted Sherlock to triple-check its V4 upgrade, deploying a three-pronged assault: a co-piloted audit with Blackthorn, a juicy $365,000 audit contest, and a live-code bug bounty that sticks around post-launch. The mission is to scour every single line of what might be the protocol's most dramatic glow-up ever.

Why V4 needs a security gauntlet V4 rolls out a Hub-and-Spoke design and a fresh risk-premium engine—essentially rebuilding how money flows and how risk gets priced from the ground up. With more TVL than some small nations, any new exploit surface needs to be welded shut, leaving absolutely zero room for a "whoops, my bad" bug.

Phase 1: The multi-pass audit with Blackthorn This isn't your grandpa's one-and-done code review. The audit is chopped into several iterative passes, where early discoveries actively steer the focus of later deep dives. It lets the auditors adapt on the fly as V4's pieces mature and snap together, like a chef tasting the soup at every step.

Phase 2: The $365K hunger games Sherlock throws the codebase to the wolves—a.k.a. independent researchers—with a $365,000 prize pool on the line. That kind of carrot turns bug hunting from a casual side quest into a professional bounty hunt, encouraging diggers to go beyond a simple checklist and actually try to break the bank.

Phase 3: The perpetual bug bounty Even after V4 is live and breathing real user transactions, the bounty stays active. Real-world usage has a funny way of uncovering edge cases no auditor in a test environment ever dreamed of, so the financial incentive for responsible disclosure now has a lifetime membership.

Hub‑and‑Spoke and risk premium under the loupe The hub acts as the central brain handling core logic, while each market operates as its own spoke with custom settings. Layered on top, the new risk-premium system dynamically tweaks borrowing costs per asset. Both features are virgin code, so Sherlock is staring at them intensely, cross-referencing findings with Blackthorn to avoid any collective blind spots.

Full-lifecycle security, not just a one-time spell Aave's three-phase blueprint is a masterclass in continuous coverage: review during dev, competitive scrutiny before launch, and bounty incentives after. For a protocol babysitting billions, this layered defense mimics where failures actually happen—at every possible stage, because of course they do.

The final reckoning Aave V4's security playbook—partner audit, massive public contest, and evergreen bounty—raises the bar for DeFi projects shipping entirely new architecture. When the code is a complete rewrite, the security theater can't just be a rerun.