How Does Aave V2 Work?

Lending|Risk B-|7 mechanisms|5 interactions

Aave V2 is the legacy version of the world's largest lending protocol. While Aave V3 has taken over as the primary deployment with advanced features, V2 still holds roughly $136 million in deposits across Ethereum, Polygon, and Avalanche. The departure of major governance contributors ACI and BGD Labs in early 2026 further reduces oversight of legacy deployments. Users with remaining V2 positions should actively plan migration to V3.

TVL

$122M

Sector

Lending

Risk Grade

B-

Value Grade

B

Core Mechanisms

Lending/Pool-Based

Overcollateralized lending pools with variable and stable rate modes

Original Aave lending pool model from 2020. Established pattern with years of battle-testing but lacks V3 improvements like efficiency mode and isolation mode.

Oracle/Multi-Source

Chainlink price feeds with fallback oracle configuration

Standard Chainlink oracle integration. V2 oracle architecture is less flexible than V3's configurable oracle sources per asset.

Risk-Management/Liquidation

Automated liquidation with fixed close factor and liquidation bonus

Standard liquidation mechanism. V2 lacks V3's configurable close factors and improved liquidation efficiency.

Governance/DAO

AAVE token governance with on-chain execution

Shared governance with V3. ACI (which drove 61% of governance actions) and BGD Labs exited in March 2026, further reducing V2-specific governance capacity. Parameter changes for V2 markets must compete for dwindling governance bandwidth.

Staking/Safety-Module

stkAAVE safety module as protocol backstop

Shared safety module covers both V2 and V3 shortfall events. Safety module backstop is shared across an increasingly large TVL base.

Lending/Flash-Loans

Uncollateralized single-transaction flash loans from V2 pools

Original flash loan implementation. Pioneered by Aave in 2020. Standard feature across DeFi.

Cross-Chain/Multi-Deployment

V2 markets on Ethereum, Polygon, and Avalanche

Legacy deployments remain active on multiple chains. Aave DAO is actively sunsetting economically unviable deployments as part of V4 consolidation strategy.

How the Pieces Interact

Legacy V2 codebaseGovernance resource allocationHigh

As governance focus shifts to V3 and V4 development — compounded by the departure of ACI and BGD Labs in early 2026 — V2 markets receive even less frequent risk parameter updates. Stale risk parameters may not reflect current market conditions for remaining V2 assets.

V2 stable rate modeInterest rate model agingHigh

V2's stable rate mode has known inefficiencies that were removed in V3. Users borrowing at stable rates may create economic imbalances in V2 pools that are no longer being optimized.

Chainlink oracle feedsLow-liquidity V2 marketsMedium

As liquidity migrates to V3, remaining V2 markets may have thin order books. Oracle price feeds reflecting broader market prices may not align with V2-specific liquidity, increasing bad debt risk during liquidation cascades.

Safety module shared backstopV2 and V3 concurrent exposureMedium

The stkAAVE safety module backs both V2 and V3. A shortfall event in either version draws from the same insurance pool, potentially leaving the other version underprotected.

Flash loansV2 pool manipulationMedium

Lower V2 liquidity makes flash-loan-based price manipulation attacks more feasible than on V3's deeper markets.

What Could Go Wrong

  1. Aave V2 is a legacy deployment with active migration to V3/V4. Governance attention and security patches prioritize newer versions, leaving V2 with slower response times to emerging threats — worsened by the March 2026 exit of ACI (61% of governance actions) and BGD Labs from the DAO.
  2. November 2023 security incident affected V2 markets across multiple chains, requiring emergency asset freezes. While no funds were lost, the vulnerability pattern demonstrates V2's aging codebase risk.
  3. At $136M remaining TVL, V2 still holds substantial user funds in deprecated markets where interest rate models and risk parameters receive less frequent governance updates — with V4 launch focus consuming remaining DAO capacity.

Legacy Codebase Exploit During Migration Limbo

Moderate

Trigger: A new vulnerability is discovered in V2 smart contracts while $100M+ remains in unmigrated V2 markets, and governance response is further delayed by the departure of major contributors ACI and BGD Labs

  1. 1.Critical vulnerability discovered in V2 lending pool contracts V2 markets are frozen for emergency review, but exploit window exists before governance can execute emergency proposal
  2. 2.Attacker exploits vulnerability before freeze takes effect on all chains Funds drained from V2 pools on one or more chains, similar to November 2023 incident pattern but with actual fund loss
  3. 3.Safety module activated to cover V2 shortfall stkAAVE slashed to cover V2 losses, reducing backstop for the much larger V3 deployment
  4. 4.V3 depositors panic-withdraw fearing safety module depletion Liquidity crisis spreads from V2 to V3 as shared safety infrastructure is stressed
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty0/15
Interaction Severity8/20
Oracle Surface3/10
Documentation Gaps2/10
Track Record7/15
Scale Exposure7/10
Regulatory Risk2/10
Vitality Risk6/10
B-

Overall: B- (35/100)

Lower score = safer

More on Aave V2

Is Aave V2 Safe?

Safety analysis

Is Aave V2 a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related Lending Explainers

How Does Tapioca Work?D+How Does Abracadabra Work?D+How Does Radiant Capital Work?D+How Does YieldBlox Work?D+How Does Maple Finance Work?C-