Back to the list

Aave cooperates with forks following vulnerability

source-logo  blockworks.co 15 November 2023 16:32, UTC

DeFi lending protocol Aave is a popular candidate for “forking,” whereby developers take open-source code and launch a spinoff.

But when its bug bounty program unearthed a potential vulnerability in Aave’s code, the exploit route wasn’t made public.

Aave’s council of community guardians froze certain assets and markets on Aave after learning of the bug on Nov. 4.

Over the following week, Aave DAO’s service provider bgdlabs made proposals to disable stable rate borrowing and end the minting of stable debt where borrowers would pay fixed rates in the short term that could be rebalanced later.

Aave lending markets returned to normal on Nov. 13 after the proposals were executed. But what about the forks that inherited Aave’s apparently exploitable code?

Bgdlabs wrote in a forum post that it had reached out to every Aave fork to offer advice on protection measures after the vulnerability came to light. At least three dozen projects have launched as spinoffs of Aave V2 or V3’s public code, per DeFiLlama.

“This is something that you see in computer security a lot,” said Luke Youngblood, founding contributor at the Moonwell lending protocol. “Say Apple or Google needs to tell smartphone manufacturers or other vendors in the space about a vulnerability that impacts their software or their solutions. They have to do this in a confidential way so that they don’t alert the hackers to where the hole is before it can be patched.”

The two largest Aave forks by total value locked (TVL), Spark and Radiant, both worked with Aave to double-check code for vulnerabilities, Marc Zeller, the founder of delegate platform Aave Chan Initiative, told Blockworks.

Of the other forks, several posted on X that the platforms weren’t at risk — including Moola, which paused twice and removed its stable borrow function as Aave dealt with the vulnerability.

Bgdlabs said on Aave’s forum that it was helping Aave forks patch their code in keeping with DeFi’s communitarian ethos.

“Even if we don’t have any responsibility to them (we are not providing services), we think the Aave community should show good values, as leaders in the space,” bgdlabs said of the forks.

Shira Brezis, co-founder of the DeFi risk and security firm Redefine, said Aave’s cooperation is par for the course in DeFi, noting that she’s in a group chat with some of her own company’s competitors.

And perhaps the goodwill trends both ways — last week, Maker, of which Spark is a subDAO, passed a proposal to share some of Spark’s revenue with Aave.

Aave also stands to gain from not seeing forks succumb to exploits.

“When users lose funds, it’s a bad outcome for everyone in the DeFi space. It makes people think crypto is insecure and makes them think it’s a hotbed for hackers,” Youngblood said.

In a Telegram message, bgdlabs’ co-founder Ernesto Boado said an eventual public disclosure of Aave’s code weakness “depends on different factors” and that their team “tried our best to notify forks” about the vulnerability.