BugHunters — Bug Bounty Platform
    Back to Programs
    Aave

    Aave

    Crypto/DeFi

    Leading decentralized lending and borrowing protocol with $10B+ in TVL across multiple blockchain networks.

    https://aave.com

    Max Reward

    $250,000

    Total Paid

    $2,100,000

    Resolved

    89

    Avg Response

    4 days

    In-Scope Assets

    app.aave.com

    Lending/borrowing interface

    Aave Smart Contracts

    V3 lending pool, governance, and flash loans

    Aave API

    Subgraph and data APIs

    GHO Stablecoin

    GHO smart contracts and facilitators

    Out of Scope

    • Governance proposal content
    • Third-party integrations
    • Aave Companies corporate site

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    AAVE-001Flash loan oracle manipulation via price feed delay
    Critical
    Open
    		$50,000–$250,0000
    AAVE-002GHO facilitator cap bypass via reentrancy in mint function
    Critical
    In Review
    		$50,000–$250,0001

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.