Aave Protoco Security Smart Contract Audit

Summary

Executive Summary This report presents the results of our engagement with Aave review version 2 of the Aave protocol. The review was conducted over 4 weeks, from September 8th, 2020 to October 9th 2020 by Bernhard Mueller and Sergii Kravchenko. A total of 35 person-days were spent. Scope Our review focused on the commit hash f756f44a8d6a328cd545335e46e7128939db88c4. The list of files in scope can be found in the Appendix. The auditor focused specifically on the changes and new features introduced with version 2 of the protocol.

Project

Aave

Multi-Chain

No active critical issues

Last audited on 2024/09/11

Auditor

59 audits on Trustblock

Multi-Tags

Issues (9)

	Low	Medium	High	Critical	Total
Not fixed	5	3	-	-	8
Fixed	-	1	-	-	1
Total	5	4	0	0	9

Contracts (42)

#	File Name
1	contracts/configuration/LendingPoolAddressesProviderRegistry.sol
2	contracts/misc/WalletBalanceProvider.sol
3	contracts/misc/IERC20DetailedBytes.sol
4	————-
5	contracts/libraries/math/MathUtils.sol
6	contracts/misc/ChainlinkProxyPriceProvider.sol
7	contracts/configuration/LendingPoolAddressesProvider.sol
8	contracts/tokenization/base/DebtTokenBase.sol
9	contracts/libraries/openzeppelin-upgradeability/InitializableUpgradeabilityProxy.sol
10	contracts/tokenization/VariableDebtToken.sol

Aave Protocol V2

Summary

Issues (9)

Griefing attack by taking flash loan on behalf of usernot_fixed/medium

Interest rates are updated incorrectlynot_fixed/medium

Unhandled return values of transfer and transferFromnot_fixed/medium

Attacker can front-run delegator when changing allowancenot_fixed/low

Code quality could be improvednot_fixed/low

Contracts (42)