[ARFC] AaveShield — Modular Security Framework for Aave V4

[ARFC] AaveShield — Modular Security Framework for Aave V4 Hub & Spoke Architecture Author Kristiyan Petrov (@zontak) Date April 14, 2026 Summary AaveShield is a modular, open-source security framework that wraps Aave V4’s Position Manager layer with 8 composable security modules — protecting against 39 identified security gaps across the Hub, Spoke, and Position Manager layers. The framework is fully implemented, deployed on Sepolia, and verified on Etherscan. All 296 unit/integration tests pass. This ARFC requests community feedback on integrating AaveShield into Aave V4’s security infrastructure, with a Phase 1 grant of $50,000–$75,000. Motivation The Security Gap Aave V4 launched on Ethereum mainnet on March 30, 2026, introducing the Hub & Spoke architecture — the most significant architectural change in Aave’s history. BGD Labs ceased all contributions on April 1, 2026, with their security retainer expiring June 1, 2026. Our independent security analysis identified 39 specific vulnerabilities across three layers: Severity Count Examples CRITICAL 7 Premium delta manipulation, deficit reporting without proof, oracle staleness, dust liquidation exploit, cross-hub desync, cross-chain signature replay, missing PM identity validation HIGH 12 Halted spoke premium changes, interest rate reentrancy, unlimited reinvestment sweep, flash loan position manipulation, multicall non-atomicity MEDIUM 16 Fee receiver deadlock, config staleness, liquidation bonus gaming, decimal mismatch, share dilution LOW 4 Nonce collision, ETH trap, unlimited approvals Key Risks Without Mitigation Premium manipulation — Spokes report arbitrary premium deltas to the Hub. Crafted offsets can permanently brick assets via .toUint256() overflow. Zero-validation deficit reports — reportDeficit() accepts bad debt claims without proof. Pure accounting entry, no funds required. No oracle safety net — getReservePrice() only checks price > 0. No staleness, deviation detection, or fallback. Flash loan attacks unblocked — Unlike V2/V3, V4 has no mechanism preventing flash-loan-powered position manipulation within a single transaction. Cross-hub desync — Reserves using different Hubs have no atomic cross-hub health factor verification. Specification Architecture User -- > AaveShieldRouter (Position Manager wrapper) |-- Collect protocol fee (configurable BPS) |-- delegatecall -- > Module.onBeforeOperation() [each enabled module] | -- returns guardFee (punitive fee if threat detected) |-- call -- > Spoke.supply/borrow/withdraw/repay |-- delegatecall -- > Module.onAfterOperation() [each enabled module] -- Split fees: protocolShare -- > treasury, remainder -- > Aave reserves Users opt in by approving AaveShieldRouter as their Position Manager. Modules execute via delegatecall in the router’s storage context using ERC-7201 namespaced storage for isolation. EIP-1153 transient storage provides gas-efficient pre/post-operation snapshots (100 gas vs 20,000 SSTORE). 8 Security Modules # Module Gaps Covered Key Protections 1 HubInvariantModule 8 (2 CRITICAL) Liquidity conservation, share consistency, deficit bounds, premium integrity, cap enforcement 2 OracleValidatorModule 2 (1 CRITICAL) Price staleness, EMA deviation, intra-block manipulation detection 3 LiquidationGuardModule 3 (1 CRITICAL) Dust attack prevention, sandwich detection, self-liquidation, post-HF verification 4 FlashLoanShieldModule 2 (2 HIGH) 6 flash loan attack patterns, per-block activity tracking 5 UtilizationBreakerModule 2 (1 HIGH) Soft/hard circuit breakers, sweep rate limiting, velocity tracking 6 PositionGuardModule 5 (1 CRITICAL) Cross-hub validation, reentrancy snapshots, whale rate limits 7 PremiumValidatorModule 8 (1 CRITICAL) Independent premium recalc, halted spoke blocking, deficit fraud detection 8 IntentValidatorModule 8 (2 CRITICAL) Cross-chain replay prevention, atomic multicall, approval verification Total coverage: 39/39 gaps addressed — all 7 CRITICAL, all 12 HIGH, all 16 MEDIUM. Response Modes Each module supports two response modes per spoke: Soft mode (default): Charges a punitive fee proportional to threat severity. Attack becomes economically irrational while legitimate transactions proceed. Hard mode: Reverts the transaction entirely. Used for critical attack patterns where any execution is unacceptable. Access Control (Two-Tier) Role Controls Owner Protocol fees, treasury, module registry, spoke admin permissions, emergency pause Spoke Admin Module selection, threshold tuning, hard/soft mode toggle (within owner-granted permissions) All parameters are runtime-configurable — no redeployment required for fees, thresholds, permissions, or module implementations. Revenue Model Protocol Fee — Configurable BPS on every operation (default: 5 BPS = 0.05%) Punitive Fee Share — When modules detect threats, configurable share goes to protocol treasury (default: 50%) Service Provider — Ongoing maintenance, monitoring, and incident response Evidence of Work GitHub Repository github.com GitHub - zontak/aaveshield: Security framework for Aave V4 Hub & Spoke... Security framework for Aave V4 Hub & Spoke architecture — 8 modular security modules with delegatecall dispatch, two-tier access control, and fee engine 8 fully implemented security modules AaveShieldRouter with delegatecall dispatch, fee engine, two-tier access control 296 passing tests (unit, integration, invariant) 95–100% line coverage across all modules Full deployment and configuration scripts MIT licensed Sepolia Testnet Deployment (Verified on Etherscan) All contracts deployed, registered, configured, and verified: Contract Address Etherscan AaveShieldRouter 0xE6b5B72d8909141b187bd71d2EBe2509a45C1d2f View HubInvariantModule 0xB799601C457fbE8C9A6D652C65e3ac6947EE72d8 View OracleValidatorModule 0x81695365d5ccdE878B8E024525910f286c236270 View LiquidationGuardModule 0x664AE1aF620c61Dec7Ec0b881afA47Bb169C3f15 View FlashLoanShieldModule 0x9ebE9389625eDeBC3B6987F79A02e28dBF2EB7E4 View UtilizationBreakerModule 0x361f7b0aA62c608579B6FfbB05c728ed1048b7F6 View PositionGuardModule 0xf8d9C1752f8584de4aB5BdFCE62e7833179D0af6 View PremiumValidatorModule 0x6B595526a669F54EB59998F69072299B110f30c6 View IntentValidatorModule 0x9F358e0dac6535980dC7950c3e48853372dF3403 View Additionally deployed: MockHub, MockSpoke, MockOracle for end-to-end demonstration. Mainnet Fork Validation 13 integration tests run against live Aave V4 mainnet state (Core Hub 0xCca852..., Main Spoke 0x94e7A5...), confirming: Modules read real Hub asset state (liquidity, deficit, shares) Modules read real Spoke reserve configurations Modules read real oracle prices All 8 modules configure correctly against real V4 addresses Gas overhead within acceptable bounds Test Coverage Component Line Coverage AaveShieldRouter 97.35% AaveShieldMath 100% HubInvariantModule 95%+ OracleValidatorModule 95%+ LiquidationGuardModule 95%+ FlashLoanShieldModule 95%+ UtilizationBreakerModule 95%+ PositionGuardModule 95%+ PremiumValidatorModule 95%+ IntentValidatorModule 95%+ Team We built ShieldPad — the first modular security framework for Uniswap V4 hooks: 5 security modules (anti-rug, MEV protection, oracle validation, volume guards, vesting unlock protection) 143+ unit tests, ~90% line coverage Same architecture: delegatecall composition, ERC-7201 namespaced storage, soft/hard modes Deployed on Arbitrum One AaveShield directly adapts ShieldPad’s proven architecture for Aave V4’s lending-specific attack surface, scaling from 5 modules / 15 attack vectors to 8 modules / 39 attack vectors. Budget Phase 1 — $50,000–$75,000 Already delivered: All 8 modules implemented and tested Sepolia deployment with Etherscan verification 296 passing tests, 95%+ coverage Full documentation Remaining Phase 1 work: Professional security audit (coordinated with Aave security) Mainnet deployment preparation Gas optimization pass Community feedback integration Phase 2 — Service Provider ($300,000–$500,000/year) Module updates for new Spoke types and Hub upgrades Real-time monitoring dashboard Incident response support Security advisory for governance proposals Expansion to new chain deployments (Base, Arbitrum, etc.) Budget Context Reference Amount AaveShield Phase 1 ask $50K–$75K BGD Labs annual retainer Multi-million (expired) Aave Labs recent funding $25M V4 Sherlock audit contest $365K V4 Sherlock bug bounty $1.5M ongoing Protocol annual revenue $140M+ AaveShield’s ask is a fraction of the protocol’s security budget and fills the critical infrastructure gap left by BGD Labs’ departure. Timeline Phase Status Timeline Security Analysis (39 gaps) Complete – 8 Module Implementation Complete – 296 Test Suite Complete – Sepolia Deployment Complete – Etherscan Verification Complete – Mainnet Fork Validation Complete – Community Review (this ARFC) Current April 2026 Professional Audit Pending May 2026 Mainnet Deployment Pending June 2026 Service Provider Proposal Future Q3 2026 How This Aligns with Aave Security first — 39 gaps identified and mitigated before any exploit occurs Non-invasive — Position Manager wrapper, no changes to Aave V4 core contracts Opt-in — Users choose to route through AaveShield; no governance action required for integration Open source — MIT licensed, fully auditable by community Revenue-aligned — Punitive fees make attacks economically irrational while funding ongoing security BGD replacement — Fills the security tooling gap with working code, not just proposals Links GitHub: GitHub - zontak/aaveshield: Security framework for Aave V4 Hub & Spoke architecture — 8 modular security modules with delegatecall dispatch, two-tier access control, and fee engine · GitHub Sepolia Router: Address: 0xE6b5B72d...9a45C1d2f | Etherscan Sepolia Author: https://www.linkedin.com/in/kristiyan-petrov-zontak/ Copyright Copyright and related rights waived via CC0. 1 post - 1 participant Read full topic