UUPS _authorizeUpgrade correctly permissioned

Aave v3's assessment for RD-F-021 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Aave v3 uses Transparent Proxy pattern (not UUPS) for all Pool contracts. UUPS _authorizeUpgrade is not applicable. Upgrade gating is via PoolAddressesProvider and Executor timelocks — assessed under Cat 2.

Sources #

Etherscan
AaveV3Ethereum.sol — PoolAddressesProviderPoolAddressesProvider 0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e (upgrade registry for Transparent Proxy)retrieved 2026-04-27

Methodology #

Determine whether the UUPS implementation defines `_authorizeUpgrade(address)` restricted to owner/admin/timelock (not open to arbitrary callers).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-021 score not_applicable collected_at 2026-04-27 23:28:46