Open in app

Sign in

Write

Sign in

Aave Dev Report

Ernesto Boado
Aave Blog
Published in
4 min readMar 2, 2020

2 weeks later… we’ve got updates!

Valentine’s day marked the starting point for a series of attacks based on Flash Loans, putting them in DeFi’s spotlight (more details here).

Flash Loans going mainstream led to consequent (and understandable) concerns about the potential weak points -Flash Loan-wise- on the highly interconnected DeFi smart contracts ecosystem.

As the first protocol to include Flash Loans as one of its basic features, Aave predicted the potential troubles of Flash Loans interacting with other decentralized systems. Due to that, we made very conservative decisions concerning our implementation:

  • Our LendingPool contract, through which all the basic interactions are executed (deposit, borrow, the Flash Loan itself, …), is completely covered by Open Zeppelin’s ReentrancyGuard. This means that if somebody tries to do a Flash Loan using the funds available in the protocol, within that transaction, no further interactions with the protocol can be done. We realized back in the day that this total protection could be an over-limitation, as in some cases certain actions could be allowed under more specific restrictions. However, taking into account the complexity of potential attacks and the severe consequences for the protocol, we followed the most conservative approach.
  • The post-validation on Flash Loans on Aave’s LendingPool is the strictest possible, not the most general: if you flash borrow X funds of asset Y, at the end of the transaction the funds on the protocol need to include this X funds of asset Y plus the corresponding depositors’ yield. We are working on generalizations of this approach, but they will be introduced only after an extensive security evaluation.

Regarding the first attack on the bZx platform (bug apart), our Flash Loan feature is not submitted to Oracles manipulation within the Flash Loan transaction, as the price updates occur in a de-synchronized fashion compared with the protocol itself.

Putting security first, we really believe that Flash Loans will change the DeFi and Ethereum ecosystem for good, as the pros outweigh the cons (more can be read here), so we will continue to improve and develop the Flash features of the protocol.

Some Aave Protocol numbers

Flash loans aside, and with a lifetime of nearly two months, the protocol continues to steadily grow:

  • As of today, the Market Size of the protocol is 27.4 Million USD
  • … of which Total Value Locked (TVL) is 21 Million USD
  • … and 6.3 Million USD in borrowed assets.
  • LINK (11.3 Million USD), USDT (5 Million USD) and ETH (4.1 Million USD) are the assets with highest amount locked.
  • USDT (3.5 Million USD), TUSD (~920 000 USD) and DAI (~900 000 USD) are the most borrowed assets.

On the integrations side, MyEtherWallet did an amazing job integrating the protocol in their client application, 1x.ag created their system based on Aave’s Flash Loans and new educational resources from the community are appearing (special mention to this flash loan starter kit).

Known issues and bug fixes

The changes on the smart contracts layer since the last Dev Report have been:

  • Issue #1. Vulnerability in fallback oracle. Like we announced previously, the Aave protocol uses prices provided from the Chainlink Oracle system. At the same time, as backup, the Aave teams runs a centralized oracle based on medianization from multiple price sources to be used only in the case of a Chainlink aggregator submitting completely wrong prices. A vulnerability has been discovered on that fallback oracle by a bug bounty participant, so we have fixed and replaced the address of the fallback oracle in our ChainlinkProxyPriceProvider. The new fallback oracle can be found here.
  • Issue #2. TUSD fix on TokenDistributor. Currently, part of the fees taken on the protocol go to a contract called TokenDistributor which anybody can call in order to swap the accumulated fees in the different assets to the Aave token (LEND) through Kyber and burn it. Due to some legacy reasons in the TUSD smart contracts architecture, the trade of this particular asset through Kyber needs to be done in a different way, so we replaced the implementation of our contract in order to contemplate this special case. The new implementation can be found here.
  • Issue #3. Change on the transfer method of ETH to TokenDistributor to low level CALL. As the TokenDistributor has being covered by a proxy, the usage of the transfer() on the function transferFlashLoanProtocolFeeInternal on the LendingPoolCore contract fails after the Istanbul fork. In order to fix it, we just replaced this transfer() by a low-level CALL instruction. You can check the old implementation here and the new here.

Concerning the client application of the Aave protocol:

  • We have added the header X-Frame-Options: DENY in the requests from the client to protect against potential click-jacking attacks.
  • Due to multiple requests from users and in order to be more transparent, we have added the origination fee on the confirmation screen when borrowing.
  • We have added a risk bar on the borrow screens, informing about how risky is to borrow the current selected amount.

As always, if you want to be up to date with the latest news related to Aave, please join our telegram and discord channel, and follow us on twitter and facebook. Don’t miss the next Dev report in two weeks!

Blockchain
Fintech
Ethereum
Defi
Finance

--

--

Ernesto Boado
Aave Blog

Written by Ernesto Boado

182 Followers
Editor for

Full stack & Blockchain developer at Aave

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams