Aave v3 is a liquidity protocol running on multiple EVM-compatible networks, where user can supply and borrow liquidity.
The v3.1 version target of this competition is an upgrade of the implementation smart contracts of Aave v3, focusing on improving its security and different operational aspects. More extensive information about Aave v3.1 can be found on the Aave governance forum HERE.
Prize distribution and scoring
Total Prize Pool $150,000
- The prize distribution has 3 possible triggers:
- If one or more valid low/informational severity findings are found, the total pot size is $20,000
- If one or more valid medium severity findings are found, the total pot size is $50,000
- If one or more valid high severity findings are found, the total pot size is $150,000
- Scoring described in the competition scoring page.
- Findings Severities described in detail on our docs page.
- Only High and Medium findings would be accepted for Primary Prize Pool.
- $20,000 of the total prize pool is reserved for Low Severity or informational findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation:
- 1st $10,000
- 2nd $5,000
- 3rd $2,000
- 4th $1,500
- 5th $1,500
Documentation
- High-level context/motivation of Aave v3.1.
- Repository containing the Aave v3.1 code.
- Repository containing the payload to upgrade Aave v3 to v3.1.
Scope
Contracts
Repository: github.com/aave-dao/aave-v3-origin Commit: 38e7cfb49069837fae99750d8db37f19735fedd7
Repository: github.com/bgd-labs/protocol-v3.1-upgrade Commit: a80a0fb843e4aef524bad5acd8185a470d5d712f
-
Only the logic affected by the 3.1 code changes is in-scope. However, unintended consequences of these changes on other logic of Aave v3 core contracts eligible for prizes on the contest.
For a more clear overview of the exact changes between Aave v3 and Aave v3.1, we recommend to check the diff files on the codebase included HERE.
Code Overview
AAVE Code Walkthrough Recording
Build Instructions
The 2 repositories in scope contain instructions to setup the project and run tests:
Both are standard Foundry-based repositories.
Proof of Concept Instructions
For tests/PoC on a local test environment with a clean deployment of Aave v3.1, a basic template can be found on https://github.com/aave-dao/aave-v3-origin/blob/main/tests/template/BaseTest.t.sol
To do any tests/PoC based on 3.1 being applied in production, a basic template can be found on https://github.com/bgd-labs/protocol-v3.1-upgrade/blob/main/tests/template/EthereumBaseTest.t.sol
Out of scope
- Problems arisen from misusage of permissioned entry-points are out of scope. E.g. an address with
POOL_ADMIN
role passing wrong parameters. - Only problems caused directly or indirectly by the 3.1 changes are in scope, not those applicable on v3 already.
- Example of In-Scope: a new attack vector caused by the introduction of virtual accounting, more severe than the same vector on v3.
- Example of Out-of-Scope: a flash loan attack vector applicable on v3 production, with no relation with any of the new features on v3.1.
- All assets listed on Aave v3.1. are expected to have minimum liquidity at all times.
- Virtual accounting can create situations where due to imprecision of other circumstances (e.g. bad debt), some balance of underlying in the aToken contract is temporarily not withdrawable. This is intended and unless opening to some vector causing major loss of funds, out-of-scope.
Out of scope automated findings generated by LightChaser
Contact Us
For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord. ",
Summary
Status
CompletedTotal reward:
150,000 GHO
Findings submitted:
131
Start date:
10 May 2024 12:00pm (local time)
End date:
20 May 2024 12:00pm (local time)