Aave Security Report

Let’s talk security in our new biweekly report!

It’s been two weeks since the launch of Aave protocol and the response has been amazing. The protocol already has a Total Value Locked (TVL) of 4.1 Million USD, and there has been increasing interest around our new aTokens and Flash Loans! We are proud of what has been achieved so far, and we want this to be the beginning of a great story. But, as a famous fictional character (Spiderman’s Uncle Ben) once said, “With great power comes great responsibility”. As the total liquidity in the protocol keeps growing, we need to be increasingly cautious about security procedures, ensuring that the protocol matches the highest quality standards. Thus, we are starting a biweekly series of reports in which we will talk about security, how the protocol evolves, our actions to ensure that users and funds are safe, updates about the governance of the protocol and, more generally, everything concerning security on Ethereum.

Aave protocol: A quick recap

Loads of positive vibes since the launch on Jan. 8th. The TVL and the borrow volume is skyrocketing, while aTokens and flash loans are being integrated in multiple platforms. As for today, the data looks amazing:

1. 4.1 M USD in assets deposited
2. 1.5M USD in assets borrowed
3. 12K USD in Flash Loans issued
4. aDAI and other aTokens integrated in ParaSwap and 1inch.exchange

We expect to keep this growth rate in the upcoming weeks, and more integrations are coming!

Governance

As stated in the Aave protocol launch article, Aave is currently keeping the ownership of the contracts. There are two main reasons for this choice:

1. Although the protocol has been thoroughly tested and audited, replicating real life usage conditions is almost impossible. We believe that being able to react as quickly as possible in case any unexpected behavior should arise is mandatory in these early days after the release.
2. The first revision of the governance is currently being audited and we expect to be able to fully migrate to a governance based ownership within the next 5 weeks.

In the meantime, the ownership of the protocol has been migrated immediately after the release to an Aragon DAO, where the voting power is fragmented between the members of the Aave team, in order to avoid non-peer-reviewed decisions or internal attacks. Currently, to make any change on the protocol, both economical/operative parameters and/or smart contract pieces of logic, it’s necessary to go through a voting process where 3 out of 5 members of the team holding 1 voting token each need to support the change. As soon as the audit is finished, the control of the system will be transferred to the first version of the Aave governance based on the LEND token. This model will be publicly communicated in advance.

Risks assessment

These two weeks have been also characterized by extremely high volatility in the market. Some tokens that are listed on our platform have been particularly affected. As a result, the risk assessment team made the following decision:

1. Reduce the (Augur) REP Loan To Value from 60% to 35% (which means that the minimum overcollateralization went from 166% to 235%)
2. Same happened to the LEND token, which has been extremely volatile in the last two weeks. The Loan to Value has been dropped from 60% to 40%.

Bug bounty

We also launched our bug bounty program! The program is designed to encourage the community to help us secure the protocol, and the prizes are up to $25.000USD.

Known issues and bug fixes

After two weeks of intensive use, three issues have been reported in Aave protocol that we are now evaluating as per our bug bounty program. A full disclosure of the issues follows. None of these issues have had impacts on the funds, users or the internal state of the protocol.

Issue #1 — Incorrect (lower) calculation of the collateral returned to a liquidator (priority: High, fixed immediately). On Jan 19 2020, a liquidator contacted us notifying that he received an incorrect (lower than expected) amount of collateral after a liquidation. We immediately halted the liquidation process to investigate the issue.
The following actions have been performed:

• review of the issue and the whole state of the protocol
• evaluate the impact on the borrower and the liquidator
• find and apply a fix for the unexpected behavior

In the process we identified a wrong configuration of the USDT reserve that caused a miscalculation on the equivalent collateral that should have been returned to the liquidator.
As a result:

• The liquidator had received less collateral than expected.
• The borrower had his loan partially repaid, and his health factor back to safety.

As a consequence of that, we:

• Applied a fix to the liquidation process by replacing the LendingPoolLiquidationManager contract. The new instance can be found at 0x31cceeb1fA3DbEAf7baaD25125b972A17624A40a.
• Issued a refund to the liquidator for the principal lost.
• Evaluated the issue as per our bug bounty program https://aave.com/bug-bounty

No actions on the borrower were taken.

The review of the protocol highlighted that:

• The state of the protocol is perfectly consistent with everything that has happened so far, and no further actions are needed.
• All the previous liquidations have been analyzed, and no issues were highlighted.
• The funds and the users are safe.
• All the other aspects of the protocol are working as expected.
• No undercollateralized loans that required liquidation were found while the liquidation process was halted.

Issue #2 — Unable to repay a loan on behalf of the borrower, if there is a certain ratio between fees and borrowed amount (priority: LOW). A user reported impossibility of repaying a loan on behalf of the borrower, if a certain ratio between the fees and the borrow balance of the user exists. We classified this issue as low priority, and we will fix it in the next planned protocol update.

Issue #3 — Incorrect configuration of the Kyber burner contract (priority: LOW). As the burner contract uses the KyberProxy smart contract to buy and burn the LEND token using the collected fees, an incorrect configuration for the mainnet version of the KyberBurner was found, that doesn’t allow the burner to swap ERC20 tokens for the LEND token. This misconfiguration does not affect the swap and burning of ETH. We will proceed to update the TokenDistributor contract in the next few days, and at the same time improve the burning function so that it can be easily called by anybody in the community.

That’s it. It has been two crazy weeks, but we are super excited. As always, if you want to be up to date with the latest news related to Aave, please join our telegram and discord channel, and follow us on twitter and facebook. Don’t miss the next security report in two weeks!