Aave Protocol V2

Off-Chain (Private)
Audited on 2020/08/31
No active critical issues
Access report

Summary

Executive Summary This report presents the results of our engagement with Aave review version 2 of the Aave protocol. The review was conducted over 4 weeks, from September 8th, 2020 to October 9th 2020 by Bernhard Mueller and Sergii Kravchenko. A total of 35 person-days were spent. Scope Our review focused on the commit hash f756f44a8d6a328cd545335e46e7128939db88c4. The list of files in scope can be found in the Appendix. The auditor focused specifically on the changes and new features introduced with version 2 of the protocol.

Issues (9)

Low
Medium
High
Critical
Total
Not fixed
53--8
Fixed
-1--1
Total54009
Griefing attack by taking flash loan on behalf of user
not_fixed/medium
No description
Interest rates are updated incorrectly
not_fixed/medium
No description
Unhandled return values of transfer and transferFrom
not_fixed/medium
No description
Attacker can front-run delegator when changing allowance
not_fixed/low
No description
Code quality could be improved
not_fixed/low
No description
Description of flash loan function is inconsistent with code
not_fixed/low
No description
Potential manipulation of stable interest rates using flash loans
not_fixed/low
No description
Re-entrancy attacks with ERC-777
not_fixed/low
No description

Contracts (42)

#File Name
1

contracts/libraries/logic/ValidationLogic.sol

2

contracts/lendingpool/LendingPoolCollateralManager.sol

3

contracts/lendingpool/LendingPoolConfigurator.sol

4

contracts/libraries/logic/ReserveLogic.sol

5

contracts/libraries/math/PercentageMath.sol

6

contracts/lendingpool/LendingPool.sol

7

contracts/libraries/logic/GenericLogic.sol

8

contracts/libraries/openzeppelin-upgradeability/UpgradeabilityProxy.sol

9

contracts/libraries/math/WadRayMath.sol

10

contracts/lendingpool/LendingPoolStorage.sol