The Aave team is working with Sherlock on the V4 upgrade through three distinct phases: a multi-phase joint audit conducted with Blackthorn, a $365,000 audit competition, and an ongoing post-launch live code bug bounty program. For one of the most significant architectural changes in Aave’s history, security coverage doesn’t stop at pre-launch assessment. It continues from implementation to live operations.
The @aave team worked with Sherlock on the V4 upgrade in three key phases: a multi-phase joint audit with Blackthorn, a $365,000 audit competition, and a bug bounty to protect live code post-launch.
For one of the biggest architectural shifts in Aave history,… pic.twitter.com/oqTzMLJBnG
— SHERLOCK (@sherlockdefi) March 19, 2026
Why V4 needs this level of coverage
Aave V4 introduces a Hub-and-Spoke architecture in addition to a new risk premium system. These are not incremental changes to existing code. They represent a fundamental redesign of how the protocol manages liquidity and price risks across markets.
New architecture means new attack surfaces, and new attack surfaces in a protocol that handles billions in user funds means the margin for missed issues is effectively zero.
Sherlock is specially called in to delve deeper into the parts of V4 that are completely new. A standard audit covers what exists. What Aave needs for V4 is coverage that understands what the new components are supposed to do, how they interact with legacy code, and where the new design creates visibility that previous audit frameworks weren’t built for.
Three phases, one continuous layer of security
The multi-phase joint audit with Blackthorn forms the basis. Rather than a one-shot assessment, the structure allows findings from the early phases to inform the scope of later phases. As V4’s components develop and integrate, the audit process adapts rather than treating the codebase as a completed artifact.
The $365,000 audit competition opens the code to a broader field of independent security researchers with a financial background. Competition-based audits consistently reveal issues that traditional enterprise-based audits miss because the incentive structure rewards finding real vulnerabilities rather than completing a checklist.
At $365,000, the prize pool is large enough to attract serious researchers who view it as a professional assignment rather than a sideline.
The bug bounty program extends coverage beyond the launch date. This is the part that most audit processes skip entirely. Code that passes pre-launch review still faces real-world conditions, new transaction patterns, and interaction scenarios that no audit fully anticipates. A live bug bounty keeps the financial incentive for responsible disclosure active after deployment, meaning the layer of security doesn’t expire the moment users start interacting with V4.
The Hub-and-Spoke Architecture and why it is the focus
The Hub-and-Spoke model is at the heart of what makes V4 architecturally different from previous Aave versions. It centralizes certain protocol functions at the hub level, while allowing individual markets to operate as spokes with their own parameters.
On top of this is the risk premium system, which dynamically adjusts financing costs based on the specific risk profile of each asset and market configuration.
Both components are so new that there is no prior audit history to draw on. Sherlock’s focus on these areas reflects a simple security principle: the latest and most complex code carries the highest residual risk, and that is where independent investigations should focus. Working with Blackthorn allows both companies to compare findings in areas where a single reviewer’s blind spots can have real consequences.
What full lifecycle security actually means
Sherlock’s model goes beyond point-in-time audits by design. The three-phase structure on Aave V4 is an example of what that looks like in practice: coverage that begins during development, intensifies in the pre-launch phase through competitive review, and then continues into live operations through ongoing premium incentives.
For a protocol on the scale of Aave, this approach reflects a realistic view of where security flaws actually occur. Pre-launch audits catch a lot. They don’t catch everything.
The combination of professional audit, crowdsourced competition and post-launch bounty creates overlapping layers covering different failure modes at different stages of the protocol’s lifespan.
Conclusion
The security process of Aave V4 with Sherlock is worth paying attention to as a model. Three phases, two pre-launch and one post-launch, covering the most architecturally novel components of the protocol with a combination of expert review, open competition and live monitoring. For protocols that provide truly new infrastructure, this is the type of coverage that matches the actual risk profile of what is being deployed. Aave V4’s partnership with Sherlock’s DeFi platform through a joint audit, a $365,000 competition, and a live bug bounty has set a new bar for protocol security. If the architecture is completely new, the security process must reflect this.