HypurrFi flags a rounding error vulnerability in Aave V3
HypurrFi, a lending market on Hyperliquid’s HyperEVM supporting both pooled and isolated markets, has exposed a rounding vulnerability within the Aave V3 core code prior to 3.5, putting a hold on XAUTO and UBTC markets to ensure the safety of user funds.
The news comes in as Aave Labs published a detailed report on the success of the V4 upgrade, stating that after a year of testing, no critical vulnerabilities were found.
So while the progress of the V4 upgrade is interesting, there remains lingering doubt due to an apparent bug currently in the protocol, housing $26.5 billion in user deposits.
What did HypurrFi find?
HypurrFi, through its internal monitoring system, discovered errors in Aave’s V3 calculation logic, immediately pausing new deposits and borrowing in the affected markets. The move was made in order to ensure the safety of user funds and allow withdrawals and repayments without any risks involved.
In order to address the issues, HypurrFi has now teamed up with Aave deployers and security researchers. They also urged other Aave fork projects to contact them for security insights, hinting that the vulnerability might affect other platforms outside their own markets.
The recent developments raise questions about the Aave V3, potentially giving Aave Labs more points in arguing the urgency of its highly contested V4 upgrade. Aave made over $120 million in revenue last year, per Defillama data.
How secure is Aave Labs’ V4 upgrade?
Just a few days before the rounding vulnerability was exposed, Aave Labs published a comprehensive security report for V4. The document included details of the year-long review process conducted from March 2025 to February 2026. The process took a total of 345 review days, involving multiple audit firms, including Certora, ChainSecurity, Trail of Bits, and Blackthorn. It also included over 900 independent researchers who submitted their findings during a six-week Sherlock security contest.
In the report, Aave Labs claimed that “no critical or high-severity vulnerabilities were found,” stating that the security framework in the V4 upgrade includes formal verification, manual audits, invariant testing, fuzzing, and AI-assisted scanning, all of which represent a “security first” approach that applies safeguards at the beginning of design stages rather than at the end.
While that sounds reassuring, users are wary because the V3 went through similar audits from top firms before it was deployed, and after years of operation, HypurrFi found a bug.
What does this mean for Aave?
This report lands amid difficult times in the Aave ecosystem as BDG Labs announced on February 20 that it would be leaving on April 1, citing Labs’ control over governance and artificial constraints on V3 developments as reasons behind its decision.
A few weeks later, ACI also announced that it will not renew its contract with Aave, and will see its agreement out over the remaining four months of validity. ACI founder Marc Zeller goes on to mention the “Aave Will Win” proposal, which would grant Labs around $51 million in funding, citing it as evidence that “a single entity holds enough voting power to pass its own budget proposals over community opposition.”
The proposal passed all necessary checks and received 52.8% support from the community, but Zeller protested that the votes would have failed if it did not depend on approximately 233,000 AAVE from Labs-linked addresses, including 111,000 allegedly delegated by founder Stani Kulechov.
Both BDG and ACI departures point at a common issue: frustration over Lab’s push to migrate from V3 to V4. The initial proposals suggested slowly changing V3’s settings, forcing users to migrate once V4 launches. BDG boldly opposed this move, further criticizing Aave Labs for purposely halting V3’s development while promoting V4 by comparing it negatively to V3.
If you're reading this, you’re already ahead. Stay there with our newsletter.
Recommended Articles
