The Aave team asked us to review and audit a pre-production version of their protocol.
The Aave protocol is a decentralized on-chain lending platform based on a “pool strategy” (instead of peer-to-peer lending). Lenders become liquidity providers by depositing cryptocurrencies in a pool, from which borrowers take out loans after having placed enough collateral. Interest rates are calculated fully on-chain, algorithmically deduced from the state of the available pools. Novel features of the protocol include variable and stable-rate loans (with the possibility to switch between them) and flash loans – a type of loan taken and repaid in the same transaction.
The Aave team currently administers all aspects of the protocol, and is able to instantly upgrade several of its contracts. There are high-privileged accounts with enough power to change most of the protocol’s rules (without any opt-in nor opt-out mechanisms), so their decisions can significantly affect the usefulness and safety of the system. Although the Aave team plans to grant these privileges to a governance system that will watch over the protocol in the near future, it is unclear whether a single externally owned account or a multisig wallet will represent these roles at the time of audit. As for now, it requires users to fully trust the Aave team with these privileged roles before the governance system is introduced.
The Aave protocol relies on two different oracles that feed rates and prices to the system, which were left out of the scope of the audit.
Summary of findings
During our audit of a pre-production version of the protocol, we detected a number of critical and high severity issues that have been already fixed by Aave. Some of the most interesting findings of our audit include:
- Any user could steal funds from the protocol
- Any borrower could avoid liquidation
- Deposits not marked as collateral could be liquidated
- Rogue borrowers could manipulate other account’s balance
- Anyone could disable the protocol’s flash loan feature
Since the Aave protocol is a DeFi project similar to Compound in its intention, we were also able to identify similar issues to our original Compound audit, such as counterproductive incentives in the liquidation process. As always, we also proposed additional changes throughout the code base to follow the industry’s best practices and reduce the project’s attack surface.
For more details about the project’s status and our findings, we encourage you to read the full audit report.