Audit-to-deploy gap

Aave v3's assessment for RD-F-006 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v3.6.0 released 2025-01-08; the comprehensive audit batch (Pashov, MixBytes, Blackthorn, Savant, Certora) is dated Nov 2025, 10+ months post-deploy. Some audits pre-dated the v3.6.0 deploy, but precise pre-deploy sign-off dates are not determinable from the public security index for all firms. Conservative yellow given ambiguity in whether any pre-deploy audit specifically covers the v3.6.0 bytecode as deployed.

Sources #

Audit
Aave Security — Audit Datesv3.6 audit dates (Nov 2025) from aave.com/securityretrieved 2026-04-27
GitHub
aave-v3-origin v3.6.0 Releasev3.6.0 release date 2025-01-08retrieved 2026-04-27

Methodology #

Measure the number of days between the audit report sign-off date and the mainnet deploy of the audited bytecode.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-006 score yellow collected_at 2026-04-27 23:28:46