Aave Protocol Audit

Off-Chain (Private)

Audited on 2020/01/15

No active critical issues

Summary

The Aave team asked us to review and audit a pre-production version of their protocol. We looked at the code and now publish our results. The audited commit is 1f8e5e65a99a887a5a13ad9af6486ebf93f57d02 and all Solidity contracts in the aave-tech/dlp/contracts/contracts folder were in scope. Note... The Aave team is aware that the audited version of the code base is a work-in-progress and not ready for production. In view of the project’s maturity, this first security audit round should be taken as the initial step forward in the way to reach the highest levels of code quality and robustness demanded...

Project

Aave

Multi-Chain

Issues (43)

	Low	Medium	High	Critical	Total
Not fixed	4	3	3	-	10
Fixed	14	8	6	5	33
Total	18	11	9	5	43

Contracts (9)

#	File Name
1	CoreLibrary.sol
2	LendingPoolLiquidationManager.sol
3	LendingPoolLibrary.sol
4	LendingPoolCore.sol
5	AToken.sol
6	LendingPoolConfigurator.sol
7	IPriceOracle.sol
8	LendingPool.sol
9	LendingPoolDataProvider.sol

#	File Name
1	CoreLibrary.sol
2	LendingPoolLiquidationManager.sol
3	LendingPoolLibrary.sol
4	LendingPoolCore.sol
5	AToken.sol
6	LendingPoolConfigurator.sol
7	IPriceOracle.sol
8	LendingPool.sol
9	LendingPoolDataProvider.sol

Aave Protocol Audit

Summary

Issues (43)

[H05] Maximum size of fixed-rate loans can be bypassednot_fixed/high

[H07] Users cannot fixed-rate borrow from a reserve no longer containing their collateralnot_fixed/high

[H08] Counterproductive incentivesnot_fixed/high

[M02] Anyone can open a flash loan for an unprotected receivernot_fixed/medium

[M08] Interest may compound unpredictablynot_fixed/medium

Contracts (9)