BlackHartBlackHart
Scores/Aave V3

Aave V3

MITHRIL

Lending / Borrowing · Multi-chain · $15B+ TVL · 30 contracts

Confidence 87%Z-Factor 0.87Updated 2026-05-17Public Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

886
BRI Score
3004756508251000

Security Profile

Access Ctrl
90
Economic
91
Oracle
85
Compos.
78
Govern.
92
Maturity
95
Resilience
96
Supply Ch.
90
OpSec
55
Cascade
55
Min
55
Avg
83
Max
96

Audit History

Trail of Bits
2022-01Report →
Certora (Formal Verification)
2023-01Report →
Sigma Prime
2022-01Report →
Peckshield
2022-01Report →

Bug Bounty Program

$1,000,000
Max payout on Immunefi
View Program →

Assessment

Gold standard lending protocol. Zero validated findings, 38-month V3 track record, org since 2017. IRRATIONAL game equilibrium confirms no profitable deviation. 880 reflects massive structural surface area (991 nodes, 2601 edges) balanced by exceptional defense depth. Near-ADAMANTINE but Chainlink dependency and flash loan callback surface prevent top tier.

Dimension Breakdown

How scores work →
Access Control
Weight 18%88% conf
90
Excellent
arrow_forward
+188 modifiers: ifAdmin, onlyPoolConfigurator, onlyPoolAdmin, onlyPositionManager, onlyUmbrella, initializer, onlyPool
+18Internal check functions: _onlyPoolConfigurator, _onlyPoolAdmin, _onlyPositionManager
+18Role-based ACL: hasRole, getRoleAdmin, grantRole, revokeRole, renounceRole
+18958 function authority entries in graph
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 13%90% conf
91
Excellent
arrow_forward
+15Health factor model: calculateUserAccountData with 15 call edges (thorough validation)
+15validateBorrow: 24 call edges (most complex validation function)
+15validateLiquidationCall: 15 call edges checking health factor thresholds
+15Flash loan exists: FLASHLOAN_PREMIUM_TOTAL, FLASHLOAN_PREMIUM_TO_PROTOCOL (fee-configurable)
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 13%85% conf
85
Strong
arrow_forward
+21ADDRESSES_PROVIDER (immutable): oracle indirection via provider pattern
+21RESERVE_INTEREST_RATE_STRATEGY (immutable): externalized rate computation
+21getReserveNormalizedIncome, getReserveNormalizedVariableDebt: internal oracle functions
+21eMode categories add oracle complexity (10 writers to _eModeCategories)
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 12%95% conf
95
Excellent
arrow_forward
+19V3 live since March 2023 (38 months), V2 since 2020, V1 since 2020, org since 2017
+19Zero protocol-level exploits across any version
+19Multiple audit firms, continuous auditing program
+19Formally verified core contracts
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 10%90% conf
92
Excellent
arrow_forward
+18Timelocked governance execution via external governance contracts
+18onlyPoolConfigurator gates: initReserve, dropReserve, setConfiguration, updateFlashloanPremium, configureEModeCategory*
+18onlyPoolAdmin gates: syncIndexesState, syncRatesState, setLiquidationGracePeriod, rescueTokens, eliminateReserveDeficit
+18onlyUmbrella: specialized insurance/umbrella operations
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%95% conf
96
Excellent
  • Score derived from continuous adversarial security research
Operational Security
Weight 10%60% conf
55
Moderate
arrow_forward
-11No branch protection detected
+14Active CI/CD (100% success rate)
+14Commit signing: 88% verified
-11Minimal development activity (0 commits/month)
receipt_longView provenance chainarrow_forward
Compositional Risk
Weight 5%82% conf
78
Good
arrow_forward
+201019 call edges show high internal composition complexity
+20Top fan-out: mint(28), validateBorrow(24), initialize(23), executeFlashLoan(22)
+20Flash loan callback: executeOperation creates cross-boundary composition
-113 composition type errors: FL->_handleFlashLoanRepayment(missing R), getSiloedBorrowingState->isBorrowingOne
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%90% conf
55
Moderate
arrow_forward
+18Appears in 9 cross-protocol cascade chain(s)
+18Member of 9 dependency cluster(s)
-45Score: 55/100 (higher = more isolated from systemic risk)
+18Source: cross_protocol_composition.json dependency analysis
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%92% conf
90
Excellent
arrow_forward
+22OpenZeppelin libraries (industry standard)
+22Modern Solidity versions, regularly updated
+22Verified on all deployment chains
+22Professional dependency management
receipt_longView provenance chainarrow_forward

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Operational Security55
Cascade Exposure55
Compositional Risk78

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Deployed 2023-03-16Z-Factor 0.86610 active dimensionsreceipt_longProvenance Ledger

Score History & Verification

Score provenance tracking begins with the next reassessment.

receipt_longView full provenance ledger →

On-Chain Data

Protocol Slug
"aave-v3"
Oracle
BRORegistry (Base)
Evidence
IPFS (pinned)
Staleness Threshold
24 hours
Read Score
registry.getScore("aave-v3")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring PlansHow Scores Work
Believe this score contains a factual error? Submit evidence for review →