AAVE
Aave is a decentralized non-custodial liquidity protocol where users can participate as suppliers or borrowers in a common pool. Suppliers provide liquidity to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.
PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Keep in mind the restrictions on impacts based on the respective asset:
- For all assets labeled as “Aave v2” and deployed on the Ethereum network, only Critical and High impacts are in-scope.
- For all assets labeled as “Aave v2” and deployed on networks other than Ethereum, including L2s on Ethereum, onlyCritical impacts are in-scope.
Major manipulation of governance voting results deviating from voted outcome, whenever protection mechanisms (e.g. cancellation of proposal) can’t mitigate the damage.
Direct theft of any user funds classified as the principal, whether at-rest or in-motion
Permanent locking of user funds classified as the principal or funds of the Aave treasury
Protocol insolvency
Direct theft of any funds in the Aave Treasury
Theft of yield, defined as funds not classified as the principal (not including yield yet to be earned)
Permanent locking of unclaimed yield of users, defined as funds not classified as the principal (not including yield yet to be earned)
Temporary locking of funds classified as the principal or funds of the Aave treasury
Smart contract unable to operate due to lack of token funds
Loss of rewards-to-be-accrued
Manipulation of interest rates (supply or borrow) with mechanisms not intended or limited by design
Unexpected infrastructural behavior
Out of scope
These impacts are out of scope for this bug bounty program.
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials or the compromise of access-controlled functions
- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts, including those based on an asset with low trading volume. That will be considered as belonging to risk control of the protocol, and not eligible in this bug bounty program.
- Impacts from Sybil attacks
- Impacts involving centralization risks
- Impacts requiring the use of non-active features including those not available due to configurations (e.g. risk parameters, flags).
The following activities are prohibited by this bug bounty program:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty