An Aave V3 fork with a self-repaying-loan mechanic funded by locked governance tokens — its pre-launch audits caught a critical bug in exactly that mechanism before it shipped.
Neverland is a lending market forked from Aave V3, deployed natively on Monad, running 11 active reserves including WMON, WETH, AUSD, USDC, USDT0 and Monad's liquid-staking tokens (sMON, gMON, shMON). Users supply assets to earn interest or borrow against collateral using a standard health-factor and liquidation model, priced by Chainlink as the primary oracle with RedStone as a secondary check. On top of that sits a veTokenomics layer styled on Velodrome's ve(3,3) model: DUST, the protocol's token, is earned by supplying or borrowing and can be locked for up to roughly a year (or permanently) into a transferable "veDUST" NFT position for governance power and a share of protocol revenue. A "self-repay" feature routes that veDUST reward stream through a per-user vault that swaps rewards into the borrower's debt asset and auto-repays it, oracle-checked with capped slippage, non-custodial and toggleable at will. Contracts sit behind an upgradeable proxy pattern with a 24-hour timelock — a meaningfully different philosophy from Morpho Blue's immutable-forever markets, since Neverland's governance and admin keys retain the ability to alter logic over time.
Neverland's one public audit, by Composable Security, tested the protocol in July 2025 and found a critical issue in the early-withdraw function of its lock contract: the penalty calculation relied on a flash-loan-protection view that returns zero for any veDUST position transferred within the same block. An attacker could transfer their locked position to themselves or an accomplice and call the early-withdraw function in the same transaction — the penalty formula would evaluate to zero, letting them exit a locked position with the full balance and no penalty at all, completely bypassing the lock-commitment mechanism the entire tokenomics design depends on. The fix, confirmed in an August 2025 retest, switched the penalty calculation to a same-block-immune historical-balance view instead. That fix landed months before Monad's own mainnet launched in November 2025, and no evidence was found that the bug was ever live-exploitable. It's worth noting explicitly that the audit's scope covered only Neverland's custom code — the inherited Aave V3 and Velodrome-style logic was excluded, since that code is audited upstream by Aave and Velodrome themselves, not by Neverland. The auditor's own report recommended a follow-up second audit after the retest; no evidence of one having happened since was found.
As of July 2026, Neverland competes head-to-head on its own chain against Aave's genuine, native V3 deployment — backed directly by the Monad Foundation's $15M incentive program — a much sharper trust and track-record gap than "there's no Aave on Monad so a fork fills the gap." Against Morpho, live on Monad since November 2025, the contrast is architectural philosophy as much as track record: Morpho's minimal, immutable core keeps its own attack surface small by design, with no native value-capture layer; Neverland is a classic large pooled Aave-style market plus a substantial freshly-written custom layer — precisely the layer where the one audit found its critical bug, since the inherited Aave and Velodrome code was out of scope. That's the concrete evidence for a larger attack surface than either stock Aave or Morpho's minimal core carries. Against TownSquare, Reservoir and Folks Finance, Neverland's differentiator (ve-tokenomics plus self-repay automation) is orthogonal to their respective bets on RWA collateral, position isolation and cross-chain liquidity — different problems, not a head-to-head feature comparison.
Neverland is Monad-only and has been tracked since shortly after mainnet launch. It's meaningfully sized relative to other Monad-native lending protocols, and DUST trades with a circulating market cap that's a small fraction of its fully diluted value — a large future unlock and emissions overhang worth being aware of if evaluating the token specifically rather than just the lending product.
Single-audit exposure is the headline risk: only one public audit exists, its own auditor recommended a follow-up that doesn't appear to have happened, and the upgradeable (not immutable) proxy pattern concentrates real trust in whoever holds the admin and governance keys behind the 24-hour timelock. Self-repaying loans and the protocol's own "automated looping" marketing explicitly encourage leverage into lower-liquidity pools, which combined with Monad's still-thin overall liquidity raises the risk of cascading liquidations in a stress event. Separately, Neverland's own documentation carries an internal inconsistency worth flagging: two different pages state different early-unlock penalty caps for veDUST (50% versus 75%) — a small thing, but a sign the docs haven't been fully reconciled since the audit.
Note: The DUST token's large gap between circulating and fully diluted value is a real overhang — future unlocks or emissions could pressure price and, by extension, the incentives that make self-repay attractive.
The lending pool, rate engine and liquidation logic are a direct Aave V3 fork, but the veDUST tokenomics and self-repay automation are entirely custom, freshly-written code — and that custom layer is exactly what the one public audit reviewed, since the inherited Aave code is audited upstream by Aave itself.
A critical bug let users transfer their veDUST position and call the early-withdraw function in the same block, exploiting a flash-loan-protection check to zero out the early-exit penalty entirely. It was caught in a July 2025 audit and confirmed fixed by August 2025 — months before Monad mainnet launched — with no public evidence it was ever live-exploited.
It's a yield-redirect design: veDUST rewards automatically swap into your debt asset and pay it down over time. It illustrates how much custom logic that convenience depends on — the same audit that found the critical unlock bug also found other, now-fixed reward-accounting issues in the same self-repay system.
Sources: Neverland Documentation, Neverland — Composable Security audit summary, Loan self-repayment system — Neverland Docs, Smart contracts — Neverland Docs
Last reviewed 2026-07-08. More Monad research.
Monad DeFi board · Markets · Swap on NullTerminal