On November 4, the team behind Aave, a popular non-custodial liquidity protocol, shared with the X community the news about the recent vulnerability report. According to the Web3 security firm CertiK, the report was produced by white hats participating in the Aave bug bounty program. The report contained a bug, which was first identified as "a high vulnerability" and was later labeled as "critical."
Although the Aave developers claimed that "The Aave V3 markets on Ethereum, Base, and Metis, and the V2 markets on Polygon and Avalanche were unaffected," and no funds were at risk on any Aave markets, they decided to take several preventative measures to mitigate the possible risks.
The Aave V2 Ethereum Market was paused, as well as "certain assets on Aave V2 on Avalanche" and "certain assets on Aave V3 on Polygon, Arbitrum, Optimism."
The team plans to provide the Aave community with a governance proposal on the restoration of the protocol's operations. The developers also intend to post a detailed postmortem when "the issue is fully resolved."
As per the Aave team, at the time of publication, users who were supplying frozen assets or borrowing from them were still able to "withdraw and repay positions, but were not able to supply or borrow more until resolved." In the case of paused assets, no manipulations are possible until the assets are unpaused.
The news caused mixed reactions in the Aave community. On the one hand, many Aave users felt relieved knowing the vulnerability had been effectively detected before it was exploited by malicious actors. On the other hand, some Aave users complained about losing money due to the inability to use the paused funds.
For instance, X user River posted, "This issue is causing my borrowed USDC on Polygon V3 to cost me 35%. Not sure how long I can afford to wait for a fix; probably out in a few days, that is a tough rate to swallow." River referred to the sudden decline in the annual percentage yield (APY) on USDC on Polygon, which other X users, including Valholo and Eoin Diamond, also mentioned.
CertiK recommends not only the users of Aave but also users of all fork projects to "pay attention to the safety of their funds."
Aave bug bounty programs
At press time, the exact details of the security issues had not been revealed yet. The reward granted to the white hat who had found the critical vulnerability in Aave also remains unknown.
As per Immunefi, the leading blockchain bug bounty platform, Aave offers the maximum bounty of $1 million to white hats submitting bugs through this service.
"Aave provides rewards in a mix of AAVE and stablecoins," Immunefi explains, breaking down the potential rewards, which "are distributed according to the impact the vulnerability could otherwise cause."
Thus, white hats discovering critical smart contract bugs can receive at least $50,000 or 10% of the funds directly affected by the vulnerability, with a maximum reward of $1 million.
"For the impact 'Direct theft of any funds in the Aave Treasury,' which is considered as High, the reward amount is 10% of the funds directly affected, up to a maximum of $75,000," Immunefi states, adding that the minimum reward for discovering such a vulnerability is $10,000.
According to Immunefi, Aave has provided certain limitations for repeatable attacks exploiting vulnerabilities in smart contracts, by calculating the amount of funds "within the first 45 minutes from the first attack, inclusive, no matter how many times the attack can be executed within that time frame."
While Aave’s bug bounty program available through Immunefi offers particularly high rewards, it is not the sole program provided by the protocol’s team.
For instance, on March 16, 2022, the developers announced on the protocol’s GitHub profile that community members would be able to submit reports of discovered vulnerabilities in the Aave Protocol V3, adding that "Rewards will be allocated based on the severity of the bug disclosed and evaluated and rewarded up to $250,000."
The disclosure of a vulnerability does not seem to affect the price of the AAVE coin. As per CoinMarketCap, after the recent lowest price the cryptocurrency had on October 31, when it was traded at $80.12, AAVE has been experiencing unsteady growth. Right after the news about the security issue, the token’s price was around $89, while at the time of publication, it surpassed $97.
In the meantime, Onyx, a cross-token liquidity market that has recently fallen prey to hackers, announced an AMA, which will be held by the DAO’s head, Alex, on November 8 at 16:00 UTC+0.
The protocol’s team has offered the Onyx community two possible solutions to mitigate the consequences of the hack, which caused the loss of nearly $2.1 million. Onyx’s users can either allow the use of the DAO’s treasury fund to compensate for the financial damage or vote for the acquisition of the Onyx protocol by Strike Finance, a DeFi-based money market.
Since many Onyx users have objections against both of these proposals, the protocol’s team wants to give the community an opportunity to address their questions. The AMA will be held before the launch of the proposals.