Aave v2/v3 security incident 04/11/2023

Following the plan, we have created an additional governance proposal for the activation of the new Liquidations Grace Sentinel for Aave v2 Ethereum/Polygon/Avalanche.

Additionally, we have added a follow-up to proposal 359 created yesterday, doing the same upgrade of stable debt implementations to extra assets on v2 Ethereum and v3 Polygon.

Voting will start in ~24 hours, participate
https://app.aave.com/governance/proposal/?proposalId=361

@bgdlabs According to Revoke Cash there is nothing wrong with my Wallet.

And there was no direct Crypto withdrawal from my AAVE account to my wallet address and then no direct withdrawal from my wallet to a spammers adress.

The money went straight from my AAVE account to this adress and nothing inbetween:

How is this even possible?

It seems like your keys got compromised. Either by using some malicious software or you entered your private key somewhere. It is definitely not related to Aave.
If you don’t have the keys to this wallet it seems like you won’t be able to get those funds back unfortunately.

@EzR3aL

No, I did not put my keys online somewhere and also did not install any software.

And even if I did, the hacker would have to withdraw my deposited funds from Aave to my wallet first?!

But this did not happen. Looking at my transactions, this seems to have happened inside the AAVE ecosystem.

The underlying aToken has been transferred. So no need to withdraw first. This person didn’t withdraw your BTC but aWBTC. @PolyMika

@EzR3aL Ok this makes somehow sense to me. Still baffles me how this could have happenend and now I cant even save the rest of my money as all my borrowed funds are freezed.

As a fork of Aave V3 building on the zkSync chain I have to say, the professionalism and responsibility conducted by the @bgdlabs team is beyond par and we are grateful to the communication and action taken.

It should note that the @bgdlabs proactively reached out to the various forks including ZeroLend informing them about the white-hat issue and informing about measures needed to safe guard our markets.

Something I don’t think we’ll find with any other major DeFi protocol out there. We hope to give something back to the Aave community and if there’s any support we can offer to the Aave fam, we’ll be happy to do so.

Good luck everyone for the vote

Hi! I am sorry to inform you, you are probably a victim, of one of the most common scam on the crypto. ( In fact, u probably SIGN, or made a simple small transaction one day with this account, not even specifically on AAVE, or u went from a BAD phishing website.
Unfortunatly, somehow the actual SIGNATURE or transaction that allowed the counterfeiter to USE your address, and DRAINED your account so far, there is 2 distinct transactions.

1 - the one that is probably you or the attacker that initiate it:

this transaction happened on block [49630533] (Polygon PoS Chain Blocks #49630533 | PolygonScan)

2 - the transaction that the ATTACKER or one of the entity that has SIGN, or allowed the account.

this transaction happened on block 49630823 interacting like 10 mins later !

correct me community!

Actually the GUARDIAN IS a good thing for you, because YOU NEED TO REVOKE ACCESS from your account BEFORE your are making your funds available somehow.
The guardian freezing ur asset, actually make it hard for the attacker to drain your account, because he was to deposit to same amount (or more!) of collateral to get out with ur money. PLEASE revoke quickly your access!

When does the Freeze last until? When I check at this link: Aave - Open Source Liquidity Protocol the freeze should already be over but Borrowed stablecoins are still frozen and at exorbitant rates! USDC on Optimism since the freeze has a borrowing rate of 23%! Funds are safe but debt is growing out of control. When will this stabilise? Will AAVE users be receiving any incentive to keep their funds with AAVE after this incident?

Please read the posts in this thread every information is giving in here.

For transparency with the community, now that all the major planned governance proposals of protection remediation have been created, the estimated timeline for every item is the following.

IMPORTANT.

• This assumes the community votes for YES on all the proposals.
• Due to how governance proposals work, execution timing can vary slightly, but in the order of low hours/minutes.

Proposal 358 Disable Stable Borrows

• Created: November 04,10:30 PM UTC
• Estimated execution time: November 10, 15:18 UTC
• The goal was?: the first line of protection, stopping the reported vulnerability
• What unblocks?: in practice nothing; v2 Ethereum will keep being paused as the following proposals are required before unpausing (for security reasons).

Proposal 359 Multichain Stable Debt Token Upgrades

• Created: November 06, 2023, 09:30 PM UTC
• Estimated execution time: November 12th, 2023, 07:30-09:30 PM UTC
• The goal was?: full protection for the vulnerability of all assets being upgraded
• What does it unblock?: it will be possible to unpause all assets on v3 Polygon, v3 Avalanche, v3 Optimism and v3 Arbitrum. CRV on v3 Polygon can’t be unpaused.

Proposal 361 Liquidations Grace Sentinel Activation

• Created: November 07, 2023, 05:20 PM UTC
• Estimated execution time: November 13th, 2023, 03-20-05:20 PM UTC
• The goal was?: activation of the Liquidations Grace Sentinel feature for Aave v2, which risk providers can recommend using to give a grace period for previously paused assets. Additionally, upgrading implementation of extra v2 Ethereum assets and CRV on v3 Polygon.
• What does it unblock?: Full return to operations on all pending Aave instances and assets (v2 Ethereum and CRV on v3 Polygon). If the risk providers recommend adding a liquidations grace period for any asset, the unpause of v2 Ethereum will happen just after that grace period for that specific asset only.

how to understand from this information when it will be unlocked eth v2 for withdraw at least?

I learned that @PolyMika had an unfortunate situation where he/she was a victim of a scam. I feel very sorry for that. I’ve learned that even high profile crypto celebs, like Mark Cuban, who are supposed to be very savvy have been victims too. Since I’ve been an active AAVE user for almost two years with no incidents, I still worry about it. I don’t want to be next in line. Please, recommend me all material I need to self educate in security. Thanks.

PD. @EzR3aL pehaps you know good material about this issue too. I’ll highly appreciate your advises.

What will happen to people who were borrowing and get liquidated but weren’t able to repay becuase of the aave pause??

I got liquidated during this period. I had a low health factor and was locked from accessing a majority of my assets as I watched my collateral at a really high rate just draining my health. The only option I had was to switch my loan assets into a different coin with a lower apr which then kept going up given the market conditions until I got liquidated. Given the volatility I was bound to be liquidated by the stable apr or market conditions. I had limited options and any option I had just lead to the road of getting liquidated or closer without any moves to fix it. Yes, it is my fault for getting into this in the first place. Many lessons learned. My back was pressed against the wall with not much I can do about it. I really hope there’s a better solution than to just offer a grace period of liquidations. There needs to be a better solution.

Unfortunately I’m unsure what you can do or what you should do. I just know a grace period of liquidations isn’t enough to repay the position you put us as users in without any warning. I just hope there can be some recourse or possible compensation for affected users who were liquidated during this event such as myself.

My question exactly.

For clarity about how Aave works in a paused situation:

• On Aave v2 Ethereum, even if no repaying or “refilling” of collaterals can be done, neither liquidations.
• On Aave v3 Polygon/Arbitrum/Optimism/Avalanche, only some of the assets are paused. It means that users can execute any action on all others. E.g. a position with WETH collateral and USDC.e on Arbitrum can’t repay USDC.e, but it can supply USDC (native) as collateral instead while the pause lasts, protecting from liquidation.

Wait, so you guys can freeze assets, but the interests are still accruing?
What kind of freeze is that?
How can we know that this is not a covert attack vector being played out?
You say users’ funds are safe, but this is not the case, they cannot repay their dept and are loosing funds as we speak.

You are still able to add other collateral.
Please read the thread before posting in here. There has been plenty information being given.
If not, i have to moderate this thread.

@bgdlabs

It might be true that there are alternative assets on some chains, but for Polygon v3, for example, there is, right now, no stablecoin alternative while borrowing, as all stablecoins have been paused. This also means that there is no way to collateralise with a stable asset. So you’re basically locked into volatility.

That could be a problem for some users, considering the high interest rates right now. But a small problem, in my opinion.

@raphael

Another attack vector? The interest rates are still fairly small, considering that this issue will be resolved within a few days. And again, already mentioned in this thread: What is the alternative?! Would you rather have your funds at risk?