AAVE
Aave is a decentralized non-custodial liquidity protocol where users can participate as suppliers or borrowers in a common pool. Suppliers provide liquidity to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.
ETH
Defi
Asset Management
DAO
Lending
Stablecoin
Staking
Solidity
Maximum Bounty
$1,000,000Live Since
18 October 2023Last Updated
09 September 2024PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Keep in mind the restrictions on impacts based on the respective asset:
- For all assets labeled as “Aave v2” and deployed on the Ethereum network, only Critical and High impacts are in-scope.
- For all assets labeled as “Aave v2” and deployed on networks other than Ethereum, including L2s on Ethereum, onlyCritical impacts are in-scope.
Severity
Critical
Title
Major manipulation of governance voting results deviating from voted outcome, whenever protection mechanisms (e.g. cancellation of proposal) can’t mitigate the damage.
Severity
Critical
Title
Direct theft of any user funds classified as the principal, whether at-rest or in-motion
Severity
Critical
Title
Permanent locking of user funds classified as the principal or funds of the Aave treasury
Severity
Critical
Title
Protocol insolvency
Severity
High
Title
Direct theft of any funds in the Aave Treasury
Severity
High
Title
Theft of yield, defined as funds not classified as the principal (not including yield yet to be earned)
Severity
High
Title
Permanent locking of unclaimed yield of users, defined as funds not classified as the principal (not including yield yet to be earned)
Severity
High
Title
Temporary locking of funds classified as the principal or funds of the Aave treasury
Severity
Medium
Title
Smart contract unable to operate due to lack of token funds
Severity
Medium
Title
Loss of rewards-to-be-accrued
Severity
Medium
Title
Manipulation of interest rates (supply or borrow) with mechanisms not intended or limited by design
Severity
Medium
Title
Unexpected infrastructural behavior
Out of scope
Program's Out of Scope information
These impacts are out of scope for this bug bounty program.
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials or the compromise of access-controlled functions
- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts, including those based on an asset with low trading volume. That will be considered as belonging to risk control of the protocol, and not eligible in this bug bounty program.
- Impacts from Sybil attacks
- Impacts involving centralization risks
- Impacts requiring the use of non-active features including those not available due to configurations (e.g. risk parameters, flags).
The following activities are prohibited by this bug bounty program:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty