Skip to content

Latest commit

 

History

History
38 lines (35 loc) · 3.65 KB

Aave-fork.md

File metadata and controls

38 lines (35 loc) · 3.65 KB
Raw

Aave Fork Checklist

Checklist

General

  • If you don't understand the Aave codebase don't fork it 1
  • Common issues from Aave forks and how to mitigate them
    • List of Aave v3 issues reported on their bug bounty program
      • 1. Flash loan premium not passed correctly to the receiver
        • Mitigation: Fork from Aave's latest commit (v3.0.2)
      • 2. Misusage of e-mode oracle feed after an asset is removed from e-mode
        • Mitigation: Do not enable e-mode
      • 3. Griefing risk with LTV0 and isolated collateral assets
        • Mitigation: Use pause instead of changing asset to LTV0. Re-evaluate this issue when more assets are necessary
      • 4. Risk of price manipulation on GUNI USDC/UDST due to illiquidity
        • Mitigation: Careful evaluate borrow or supply tokens added
      • 5. Inconsistent amount on aToken transfer events
        • Mitigation: Fork from Aave's latest commit (v3.0.1)
      • 6. Stable rate mode bug
        • Mitigation: Disable stable rate
    • Forks
      • Hundred Finance (Compound Fork)
        • Root cause: This vulnerability has existed in the Compound v2 code since its launch despite multiple audits, presenting itself when markets are launched with a collateral value in place but no depositors or following markets becoming empty due to user withdrawal post-launch.
        • Mitigation: Minting Small cToken (or equivalent) Amounts at Market Creation
      • Agave
        • Root cause: The root cause of both attacks is the same: post transfer hooks in non-standard ERC667 tokens, which enabled the reentrancy.
        • Mitigation: Audit L2 bridged tokens
      • Radiant Capital
        • Root cause:
          • It basically exploits a time window when a new market is activated in a lending market (forked from the popular Compound/Aave). The exploitation also relies on a known rounding issue in current Compound/Aave codebase.Specifically, today's actor sniped the new USDC market deployment and exploited it 6 seconds after the activation. 1, 2, 3, 4
          • The attacker was the first individual to supply in this new USDC market, and he then used that opportunity to manipulate the liquidityIndex, a key factor in determining the AToken user balances, to borrow all the ETH
          • Mitigation: To mitigate this, Aave has a mandatory policy to deposit alongside any new listing. 1, 2
      • Blizz Finance
        • Root cause: Chainlink LUNA oracle became inacurate during the Terra collapse
        • Mitigation: Choose strong borrow and collateral assets
  • Others
    • Replay attacks around the reuse of digital signatures