HypurrFi, a credit market on Hyperliquid’s HyperEVM that supports both pooled and isolated marketsexposed a rounding vulnerability within the Aave V3 core code before 3.5, controlling the XAUTO and UBTC markets to ensure the safety of user funds.
The news comes as Aave Labs releases a detailed report on the success of the V4 upgrade, stating that no critical vulnerabilities were found after a year of testing.
So while the progress of the V4 upgrade is interesting, doubts remain because of one apparent bug currently included in the protocol, which houses $26.5 billion in user deposits.
What did HypurrFi find?
HypurrFi, through its internal monitoring system, discovers errors in Aave’s V3 calculation logic, immediately pausing new deposits and loans in affected markets. This step was taken to ensure the safety of user funds and allow withdrawals and refunds without any risk.
To address the issues, HypurrFi is now working with Aave implementers and security researchers. They also urged other Aave fork projects to contact them for security insights, suggesting the vulnerability could affect other platforms outside their own markets.
The recent developments raise questions about the Aave V3, potentially giving Aave Labs more points in arguing the urgency of the highly controversial V4 upgrade. Aave transferred it $120 million in revenue last year, according to Defillama data.
See also Ripple Price Prediction: XRP to $0.23, Analyst
How secure is Aave Labs’ V4 upgrade?
Just a few days before the rounding vulnerability came to light, Aave Labs published a comprehensive security report for V4. The document contained details of the year-long assessment process that was conducted from March 2025 to February 2026. The process lasted a total of 345 assessment days, involving multiple accounting firms including Certora, ChainSecurity, Trail of Bits and Blackthorn. It also involved more than 900 independent researchers who submitted their findings in a six-week Sherlock security competition.
In the report, Aave Labs claimed that “no critical or high-severity vulnerabilities were found,” and stated that the security framework in the V4 upgrade includes formal verification, manual auditing, invariant testing, fuzzing, and AI-assisted scanning, all of which represent a “security first” approach that applies safeguards at the beginning of the design phase rather than the end.
While that sounds reassuring, users are wary because the V3 went ahead similar audits from top companies before it was deployed, and after years of use, HypurrFi discovered a bug.
What does this mean for Aave?
This report comes amid difficult times in the Aave ecosystem, as BDG Labs announced on February 20 that it would be leaving on April 1, citing Labs’ control over governance and artificial restrictions on V3 developments as reasons for its decision.
See also Singaporean payments provider Alchemy Pay secures $10 million in funding for expansion in South Korea
A few weeks later, ACI also announced that it will not renew its contract with Aave and that the agreement will be extended for the remaining four months. ACI founder Marc Zeller goes on to mention the “Aave Will Win” proposal, which would provide Labs with approximately $51 million in funding, citing it as evidence that “a single entity has sufficient voting power to pass its own budget proposals despite community opposition.”
The proposal passed all necessary checks and received 52.8% support from the community, excluding Zeller protested that the votes would have failed had they not relied on approximately 233,000 AAVE from Labs-linked addresses, including 111,000 allegedly delegated by founder Stani Kulechov.
The positions of both BDG and ACI point to a common problem: frustration with Lab’s push to migrate from V3 to V4. The original proposals suggested that V3’s settings would be changed slowly, requiring users to migrate once V4 launched. BDG was strongly against this this move, further criticizing Aave Labs for deliberately halting development of V3 and promoting V4 by negatively comparing it to V3.