Fix-merged-but-not-deployed gap

Aave v3's assessment for RD-F-140 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No known case of a security-critical fix merged to aave-v3-origin without subsequent governance deployment. Certora FV is continuous. All v3.x patches have been deployed through governance.

Sources #

GitHub
Aave V3 Origin - commit historyaave-dao/aave-v3-originretrieved 2026-04-27

Methodology #

Determine whether a known vulnerability has a PR merged in the repo but the fix has not been included in the deployed bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-140 score green collected_at 2026-04-27 23:28:46