AAVE / Aave v3.1 Competition

Aave v3 is a liquidity protocol running on multiple EVM-compatible networks, where user can supply and borrow liquidity.

The v3.1 version target of this competition is an upgrade of the implementation smart contracts of Aave v3, focusing on improving its security and different operational aspects. More extensive information about Aave v3.1 can be found on the Aave governance forum HERE.

aave.com

Prize distribution and scoring

Total Prize Pool $150,000

• The prize distribution has 3 possible triggers:
  • If one or more valid low/informational severity findings are found, the total pot size is $20,000
  • If one or more valid medium severity findings are found, the total pot size is $50,000
  • If one or more valid high severity findings are found, the total pot size is $150,000
• Scoring described in the competition scoring page.
• Findings Severities described in detail on our docs page.
• Only High and Medium findings would be accepted for Primary Prize Pool.
• $20,000 of the total prize pool is reserved for Low Severity or informational findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation:
  • 1st $10,000
  • 2nd $5,000
  • 3rd $2,000
  • 4th $1,500
  • 5th $1,500

Documentation

• High-level context/motivation of Aave v3.1.
• Repository containing the Aave v3.1 code.
  • Features of Aave v3.1 with context.
  • Certora security review.
  • Mixbytes security review.
• Repository containing the payload to upgrade Aave v3 to v3.1.
  • Description of what is done on the upgrade.
  • Codebase diff between production v3 and v3.1

Scope

Contracts

Repository: github.com/aave-dao/aave-v3-origin Commit: 38e7cfb49069837fae99750d8db37f19735fedd7

Repository: github.com/bgd-labs/protocol-v3.1-upgrade Commit: a80a0fb843e4aef524bad5acd8185a470d5d712f

• Only the logic affected by the 3.1 code changes is in-scope. However, unintended consequences of these changes on other logic of Aave v3 core contracts eligible for prizes on the contest.

  For a more clear overview of the exact changes between Aave v3 and Aave v3.1, we recommend to check the diff files on the codebase included HERE.

Code Overview

AAVE Code Walkthrough Recording

Build Instructions

The 2 repositories in scope contain instructions to setup the project and run tests:

• v3.1. codebase
• Upgrade proposal

Both are standard Foundry-based repositories.

Proof of Concept Instructions

For tests/PoC on a local test environment with a clean deployment of Aave v3.1, a basic template can be found on https://github.com/aave-dao/aave-v3-origin/blob/main/tests/template/BaseTest.t.sol

To do any tests/PoC based on 3.1 being applied in production, a basic template can be found on https://github.com/bgd-labs/protocol-v3.1-upgrade/blob/main/tests/template/EthereumBaseTest.t.sol

Out of scope

• Problems arisen from misusage of permissioned entry-points are out of scope. E.g. an address with POOL_ADMIN role passing wrong parameters.
• Only problems caused directly or indirectly by the 3.1 changes are in scope, not those applicable on v3 already.
  • Example of In-Scope: a new attack vector caused by the introduction of virtual accounting, more severe than the same vector on v3.
  • Example of Out-of-Scope: a flash loan attack vector applicable on v3 production, with no relation with any of the new features on v3.1.
• All assets listed on Aave v3.1. are expected to have minimum liquidity at all times.
• Virtual accounting can create situations where due to imprecision of other circumstances (e.g. bad debt), some balance of underlying in the aToken contract is temporarily not withdrawable. This is intended and unless opening to some vector causing major loss of funds, out-of-scope.

Out of scope automated findings generated by LightChaser

• aave-v3-origin
• protocol-v3.1-upgrade

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord. ",