Umbrella is a new version of the Aave Safety Module to help address bad debt managment within the Aave protocol.
BGD engaged Ackee Blockchain Security to perform a security review of the Aave protocol with a total time donation of 19 engineering days in a period between February 10 and February 26, 2025.
METHODOLOGY
We began our review using static analysis tools, including Wake. This yielded the I2 finding. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we used the Wake testing framework. We implemented additional unit tests that helped us analyze the shares inflation possibility (M1) and arithmetic errors (L1). We also implemented an additional set of fuzz tests, however, a full fuzzing campaign was not in the scope of this report. The fuzz tests discovered potential integration issues with the price oracle availability (L2). During the review, we paid special attention to:
- analyzing ERC-4626 shares inflation and checking for compliance with the standard;
- ensuring the slashing mechanism could not be abused;
- checking correctness of the rewards distribution;
- ensuring the arithmetic of the system was correct;
- detecting possible reentrancies and unprotected calls in the code;
- ensuring access controls were not too relaxed or too strict; and
- looking for common issues such as data validation.
SCOPE
The first audit was performed on the commit a2ad2ff and the scope were the umbrella , stakeToken and rewards folders.
A fix review was performed on commit de990C5.
A third review was conducted on commit 5b987d2 with final changes before the release. No issues were identified during this review.
FINDINGS
The classification of a security finding is determined by two ratings: impact and likelihood. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as medium severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the warning or informational severity ratings.
Our review resulted in 9 findings, ranging from Informational to Medium severity. The most severe finding is M1, which identified an issue with shares inflation. Due to the slashing mechanism, shares can grow rapidly, making the correct functioning of the system significantly dependent on configuration. StakeToken vaults that undergo full slashing due to small deficit offsets or higher pool deficits can enter a denial-of-service state. The state can be entered by an attacker in a single transaction due to the permissionless nature of slashing and deposits. The cost of the attack is determined by the underlying token (it can be as low as a few cents).
For detailed acknowledgment statements from the client on see the Findings section of the full audit report.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: Possible shares inflation
Low severity
L1: Frequent claiming of rewards can lead to losses
L2: The latestAnswer function reverts after slashing configuration removal
Warning severity
W1: Inconsistent usage of _msgSender() over msg.sender
W2: Missing validation of the upper bound in validateTargetLiquidity
Informational severity
I1: Typos
I2: Unused using-for directive
I3: Permit error handling
I4: The same suffix is used for name and symbol
TRUST MODEL
While the permissions within the system are carefully designed to limit the potential impact of any single component, users should trust the DEFAULT_ADMIN_ROLE (which should be granted to Aave governance) to correctly configure the system and act honestly.
CONCLUSION
Ackee Blockchain Security recommends BGD to:
- set up off-chain monitoring for the purposes described in the M1 finding; and
- address all other reported issues.
Ackee Blockchain Security’s full Aave Umbrella audit report can be found here.
We were delighted to audit Aave and look forward to working with them again.
