Aave Protocol Audit

Off-Chain (Private)
Audited on 2020/01/15
No active critical issues
Access report

Summary

The Aave team asked us to review and audit a pre-production version of their protocol. We looked at the code and now publish our results. The audited commit is 1f8e5e65a99a887a5a13ad9af6486ebf93f57d02 and all Solidity contracts in the aave-tech/dlp/contracts/contracts folder were in scope. Note... The Aave team is aware that the audited version of the code base is a work-in-progress and not ready for production. In view of the project’s maturity, this first security audit round should be taken as the initial step forward in the way to reach the highest levels of code quality and robustness demanded...

Issues (43)

Low
Medium
High
Critical
Total
Not fixed
433-10
Fixed
1486533
Total18119543
[H05] Maximum size of fixed-rate loans can be bypassed
not_fixed/high
None
[H07] Users cannot fixed-rate borrow from a reserve no longer containing their collateral
not_fixed/high
None
[H08] Counterproductive incentives
not_fixed/high
None
[M02] Anyone can open a flash loan for an unprotected receiver
not_fixed/medium
None
[M08] Interest may compound unpredictably
not_fixed/medium
None
[M10] Missing test coverage report
not_fixed/medium
None
[L04] Redundant underflow prevention
not_fixed/low
None
[L06] Collateral can be deposited in a reserve where usage as collateral is disabled
not_fixed/low
None
[L14] Tests not passing
not_fixed/low
None
[L15] Missing comprehensive docstrings
not_fixed/low
None

Contracts (9)

#File Name
1

CoreLibrary.sol

2

LendingPoolLiquidationManager.sol

3

LendingPoolLibrary.sol

4

LendingPoolCore.sol

5

AToken.sol

6

LendingPoolConfigurator.sol

7

IPriceOracle.sol

8

LendingPool.sol

9

LendingPoolDataProvider.sol