Immunefi
Immunefi
Back to Explore
AAVE-logo

AAVE

Aave is a decentralized non-custodial liquidity protocol where users can participate as suppliers or borrowers in a common pool. Suppliers provide liquidity to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.

ETH
Defi
Asset Management
DAO
Lending
Stablecoin
Staking
Solidity
Maximum Bounty
$1,000,000
Live Since
18 October 2023
Last Updated
09 September 2024

  • PoC required

  • KYC required

Submit a Bug
InformationScopeResources

Select the category you'd like to explore

Assets in Scope

Target
Type
Added on
Smart Contract - UpgradeableBurnMintTokenPool
9 September 2024
Target
Type
Added on
Smart Contract - UpgradeableLockReleaseTokenPool
9 September 2024
Target
Type
Added on
Smart Contract - UpgradeableGhoToken
9 September 2024
Target
Type
Added on
Smart Contract - PayloadsController
11 March 2024
Target
Type
Added on
Smart Contract - Executor
11 March 2024
Target
Type
Added on
Smart Contract - DataWarehouse
11 March 2024
Target
Type
Added on
Smart Contract - VotingMachine
11 March 2024
Target
Type
Added on
Smart Contract - GovernancePowerStrategy
11 March 2024
Target
Type
Added on
Smart Contract - VotingStrategy
11 March 2024
Target
Type
Added on
Smart Contract - Governance
11 March 2024
Target
Type
Added on
Smart Contract - GSM
8 February 2024
Target
Type
Added on
Smart Contract - FixedPriceStrategy
8 February 2024

Impacts in Scope

Keep in mind the restrictions on impacts based on the respective asset:

  • For all assets labeled as “Aave v2” and deployed on the Ethereum network, only Critical and High impacts are in-scope.
  • For all assets labeled as “Aave v2” and deployed on networks other than Ethereum, including L2s on Ethereum, onlyCritical impacts are in-scope.
Critical
Major manipulation of governance voting results deviating from voted outcome, whenever protection mechanisms (e.g. cancellation of proposal) can’t mitigate the damage.
Critical
Direct theft of any user funds classified as the principal, whether at-rest or in-motion
Critical
Permanent locking of user funds classified as the principal or funds of the Aave treasury
Critical
Protocol insolvency
High
Direct theft of any funds in the Aave Treasury
High
Theft of yield, defined as funds not classified as the principal (not including yield yet to be earned)
High
Permanent locking of unclaimed yield of users, defined as funds not classified as the principal (not including yield yet to be earned)
High
Temporary locking of funds classified as the principal or funds of the Aave treasury
Medium
Smart contract unable to operate due to lack of token funds
Medium
Loss of rewards-to-be-accrued
Medium
Manipulation of interest rates (supply or borrow) with mechanisms not intended or limited by design
Medium
Unexpected infrastructural behavior
View rewards

Out of scope

Program's Out of Scope information

These impacts are out of scope for this bug bounty program.

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials or the compromise of access-controlled functions
  • Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts, including those based on an asset with low trading volume. That will be considered as belonging to risk control of the protocol, and not eligible in this bug bounty program.
  • Impacts from Sybil attacks
  • Impacts involving centralization risks
  • Impacts requiring the use of non-active features including those not available due to configurations (e.g. risk parameters, flags).

The following activities are prohibited by this bug bounty program:

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
Total Assets in Scope
81
Total Impacts in Scope
17