Security Rating Level: 5
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 Jan, alive for 15 months.
1.2 Past exploits (8%; 100)
Never got Attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
Full stack blockchain developer, started software engineering from 2011

2. Exposure (Weight 25%; Score 91.5)

2.1 Historical TVL (17.5%; 100)
Average market share in the past 4Q: 13.0%, 12.2%, 12.7%, 10.9%
Data collected from Aave | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 75)
AAVE is a lending protocol (flashloan allowed)
2.3 Infrastructure (2.5%; 65)
Use single decentralised oracle to feed price, no sanity check

3. Audit (Weight 35%; Score 92)

Audit report available on: Security & Audits - Developers
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by MixBytes, PeckShield, Certik and Consensys Diligence, Tier 1 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues found in audit, but all fixed by team
3.4 Other credits (up to additive 5.25%; 10)
Core smart contracts audited by multiple firms, Formal verification done

4. Code quality (Weight 15%; Score 90)

Repository on github: GitHub - aave/protocol-v2: Aave Protocol V2
4.1 Documentation
Good documentation, clear comments and tracebility
4.2 Test
Test done but code coverage not visible

5. Developer community (Weight 5%; Score 88)

5.1 Bug bounty program (3.5%; 100)
Exists. Reward up to $250,000
5.2 Issues raised on Github (1.5%; 60)
3 issues raised on github repository

The N-SCOSS for Compound is 91.375, level 5

AAVE v2 remained its security level at 5, as re-evaluated on 2021 December 20th.

No hack happened after last evaluation. From March to December, AAVE market share dropped from ~12% to ~8%, resulting in a score decrease in pillar 2. But meanwhile the developer activities have obviously become more active as indicated by the number of issues raised in the repository, hence an increase in score of pillar 5.

Overall AAVE v2 proved its stability and security in the past 9 months and remains one of the most secure protocols.

Below are the details of updated rating for AAVE v2 based on data up to 2021 December 20th.

Security Rating Level: 5
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 80)
Launched on mainnet from 2020 Dec, alive for 13 months.
(Note that in the first post I mistakenly took the launch month as 2020 Jan, which was AAVE v1 launch month. This error made the final score 2.4 points higher than it should have been, but resulted no impact on the security level, i.e. the rating would still be at level 5 if the correct project age was adopted)
1.2 Past exploits (8%; 100)
Was not attacked in the past 12 months
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
Full stack blockchain developer, started software engineering from 2011

2. Exposure (Weight 25%; Score 84.2)

2.1 Historical TVL (17.5%; 86)
Average market share in the past 4Q: 7.4%, 8.7%, 8.7%, 8.7%
Data collected from Aave Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 75)
AAVE is a lending protocol (flashloan allowed)
2.3 Infrastructure (2.5%; 90)
First check for a price from a Chainlink aggregator (decentralized oracle). If the price is below or equal to zero, we call our fallback price oracle. The fallback price oracle is currently maintained by the Aave team. Sanity check exists.

3. Audit (Weight 35%; Score 97)

Audit report available on: Security & Audits - Developers
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by MixBytes, PeckShield, Certik, Consensys Diligence and SigmaPrime, Tier 1 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues found in audit, but all fixed by team
3.4 Other credits (up to additive 5.25%; 15)
Core smart contracts audited by multiple firms. Formal verification done. Audit conducted before deployment.

4. Code quality (Weight 15%; Score 90)

Repository on github: GitHub - aave/protocol-v2: Aave Protocol V2
4.1 Documentation
Good documentation, clear comments and tracebility
4.2 Test
Test done but code coverage not visible

5. Developer community (Weight 5%; Score 100)

5.1 Bug bounty program (3.5%; 100)
Exists. Reward up to $250,000
5.2 Issues raised on Github (1.5%; 100)
91 issues raised on github repository
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 91.9, level 5