Saturday evening, the DeFi Aave protocol teams informed that a whitehat hacker had reported a flaw through the bug bounty module. As a result, temporary security measures have been taken to keep funds safe. What do we know?
Aave reveals measures in the face of a security flaw reported by a whitehat hacker
Saturday evening, the Aave decentralized finance protocol (DeFi) teams informed their community that a security report had been sent by a whitehat hacker via the bug bounty program, reporting a flaw that could so far be exploited.
As a precautionary measure, the Ethereum V2 market was paused. In addition, a series of assets on the Avalanche V2, Polygon V3, Arbitrum V3 and Optimism V3 markets were frozen. Thanks to this, the flaw has thus been rendered inoperable pending a long-term fix, and the protocol explains that the assets are safe:
Today we received a report of an issue on a certain feature of the Aave Protocol. After validation by community developers, the guardian has taken the following temporary prevention measure (no funds are at risk):
– Aave Labs (@aave) November 4, 2023
A little later, a post on the app’s governance forum was published to provide a little more clarity on what was to happen next. Nevertheless, the management team has chosen to remain vague for the time being, in order to protect other DeFi applications built on an Aave fork:
“Currently, all Aave pools are protected by the measures taken, but given that Aave v2/v3 is a “fork” protocol by several third parties, we don’t think it’s responsible to give full details of the vulnerability at the moment. “
In addition, a governance proposal has been made to replace the current measures with a more precise action, so as to restart the paused elements on the protocol while protecting it from attack:
” We’re creating a governance proposal to remove the current freeze protections and apply a more specific one: disable stable rate mode for all assets that have it. At the same time, we are drawing up a recovery plan for the pools concerned. “
So far, no loss of funds has been recorded. As for those affected by the current freezes, they can still repay their loans or withdraw funds if they wish.
We will be able to publish further information once the situation has been resolved and Aave has shared more details publicly.