Aave Secures BGD Labs as External Security Advisor Through May

Aave DAO has approved a two-month, $200,000 security advisory agreement with BGD Labs to provide incident-response support through May. The arrangement maintains institutional expertise while BGD transitions away from core protocol development roles.

The Aave DAO is moving forward with a governance proposal to establish a temporary security advisory arrangement with BGD Labs, the development firm that previously led protocol engineering efforts. Under the proposed two-month engagement spanning April and May, BGD will serve as an external consultant to assist the core team during potential security incidents, marking a structured transition as the organization shifts toward decentralized leadership.

This arrangement reflects a nuanced understanding of risk management during organizational transition. Rather than severing ties entirely, Aave has elected to retain access to the institutional knowledge and incident-response expertise that BGD accumulated while stewarding the protocol's architecture. The engagement is deliberately scoped to high-severity vulnerabilities affecting core systems—excluding GHO and the forthcoming Aave v4—and positions BGD purely as an advisory entity rather than a decision-making authority. This distinction is critical: the firm will not own the security workflow or incident response process, but instead provide guidance to whichever team (likely Aave Labs) assumes primary responsibility. The $200,000 cost for this limited engagement reflects a pragmatic insurance premium rather than an ongoing operational expense.

The proposal's structure demonstrates maturity in how blockchain protocols approach critical dependencies. By formalizing the arrangement through on-chain governance, Aave creates transparency around costs and scope while avoiding the friction that can emerge from informal handoff periods. Notably, BGD indicated willingness to participate in the Protocol Guardian framework, suggesting the organization is exploring diverse models for security oversight rather than concentrating authority. The retroactive operative date—treating the engagement as active immediately—acknowledges the practical reality that security incidents don't wait for governance voting cycles to conclude, a pragmatic approach that other protocols have subsequently adopted.

This engagement represents a broader pattern in mature DeFi infrastructure: projects increasingly recognize that security requires sustained expertise, not merely periodic audits. As Aave continues scaling governance decentralization while managing protocol complexity, arrangements like this temporary retainer provide optionality during critical transitions.