Prior known-ignored disclosure

Aave v3's assessment for RD-F-177 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No evidence in any published post-mortem that a disclosure to the Aave team was ignored pre-exploit. The January 2025 governance forum warning about Kelp's 1/1 DVN was a public forum flag about a third-party (Kelp's) bridge configuration, not a private disclosure to Aave about an Aave vulnerability. Aave had no authority to fix Kelp's bridge. No prior post-mortem documents a disclosed Aave vulnerability that was ignored. Green.

Sources #

Governance
Aave v2/v3 Security Incident (November 4, 2023)Stable rate security incident Nov 2023retrieved 2026-04-27
Governance
rsETH Incident Report — root cause: LayerZero 1/1 DVN misconfiguration on Kelp sidersETH Incident Reportretrieved 2026-04-27

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-177 score green collected_at 2026-04-27 23:28:46