Aave's protocol is 100% upgradeable via an admin key that is owned by an Aragon DAO. The DAO has 5 members and can approve admin key transactions with 3 "Yes" votes on a proposal. The key is capable of making sweeping changes to the protocol.

Is the security of user funds dependent on opsec of admin key?

Yes ⚠️

Current Admin Key Config

Timelock: None ⚠️ Multisig: 3-of-5 (via Aragon DAO)

Claimed Admin Key OpSec

"DAO voting keys in cold storage"

Verified Admin Key OpSec

Unverifiable ⚠️

Admin Key Address

(This is Aave's Aragon DAO contract.) https://etherscan.io/address/0xcd8393b5b0ec5ab8dad4e648f709be6bac11874d

More Info & Documentation

Open Zeppelin Audit Summary Aave Security Report