Bug Bounty Up To $250.000 USD
We’re back with a quick security update for Aave Protocol. Last week we introduced a new money market to Aave Protocol: The Uniswap Market, where Uniswap liquidity providers can borrow against their Uniswap liquidity provider (UNI) tokens. When adding a new market, the most important thing to consider is always security and risk, and we are constantly auditing our code and improving Aave Protocol to meet the highest security standards. As new markets are added to Aave Protocol, security becomes increasingly important. This blog post will shed some light on our most recent security updates, as well as our revised Bug Bounty scheme (hint: the reward for finding critical vulnerabilities is higher than ever!)
Bug Bounty Revamped, Partnership with Consensys Diligence
The growth of Aave has been amazing, surpassing 100 million of assets under management in less than 6 months. This of course puts great pressure on the team to guarantee the security of the funds. We have been periodically reviewing our codebase internally since launch and being very cautious on changing anything in the core contracts, with changes limited to interest rate model adjustments and risk parameters configuration. Moreover, we have been engaged in a long-term partnership with Consensys Diligence, one of the top security auditors in the Ethereum ecosystem, immediately after the launch. Since then, the Aave team and Consensys have been attending weekly meetings with focus on smart contracts security, development and best practices. Consensys is currently focused on applying formal and runtime verification tools to the protocol, which adds up to the manual audits as an additional form of security. Until now no particular issues were highlighted, and a report is due in the upcoming weeks. The collaboration with Consensys Diligence has immensely helped Aave in growing the security-focused culture that drives us since the beginning, and their technologies will be an extremely important integration in the Aave development pipeline, to improve safety and reliability.
“Since we began working with the Aave team earlier this year, I’ve been impressed by their commitment to security. The custom properties we’ve validated using fuzz testing not only provide useful assurances now but will be a valuable tool to prevent new bugs from creeping in as they work towards the next iteration of their protocol.” — John Mardlin, Security Engineer, Consensys Diligence
Still, with over 100 Million AUM, we feel we can do even better. Since launching on mainnet, we had an active bug bounty with prizes up to $25,000. While we are extremely confident on the security of the Aave protocol, we understand that with this extremely fast growth, it might not be enough. So, we decided to go 10x bigger: starting from today, any critical issue reported (please check our bounty page page for additional details on how the issues are classified) will be rewarded with a prize of $250,000. This is to date the highest bounty reward that has ever been granted for a DeFi protocol.
Rewards will be decided case-by-case, as this is an ongoing bug bounty program. The likelihood and severity of the bug impact the reward scheme. We follow a similar approach to the Ethereum Foundation in terms of bounty rules.
How do I hunt for bugs?
Dive into our developer’s documentation and whitepaper for details on our contract structure and methods. Finally, check our code for any bugs and vulnerabilities!
How do I report bugs?
To report any bugs, check the specific instructions on our bounty page!
An update on the Risk Framework and new markets
Last month our Risk team released a detailed Risk Framework for Aave Protocol, outlining how we assess new assets to be added to the protocol and the measures taken to ensure that the protocol always remains secure. With the release of the Uniswap Market, our Risk team added a detailed section for the new market and Uniswap pairs that come with it. You can find the Risk Assessment for the Uniswap Market here.
From the beginning, Aave Protocol has been built to support multiple, interconnected markets. With the addition of a market that contains new assets not supported in Aave Protocol before, the ability to ensure the correct pricing of these new assets is critical to the security of the protocol. Essentially, for UNI tokens, a new contract was connected to the main source of prices in order to calculate the value of the UNI tokens in ETH at any given time, powered by our Chainlink price source. You can read more about these calculations and the risk and security considerations for the Uniswap Market in our blog post here. Our price discovery solution has been thoroughly audited by Consensys Diligence. You can find the full audit here.
New updates on security will be released shortly as we approach the release of the Aave governance. The team is super excited for what is yet to come.
As always we deeply appreciate all your feedback, and we wish you happy hunting.
Feel free to drop us your questions and feedback in our Discord #bounties channel!