I know we can add collateral, this is not my point. I am not talking about liquidation. I am talking about not being able to repay our debt and being forced to pay accrued interest with sky high interest rates.
It will all be unlocked soon. Or next time let it be hacked and loose everything. The choice is yours.
None is great but this situation atm is definitely the better one.
It is not possible to distinguish the scenario where assets are being frozen to mitigate a potential risk, from a potential attack vector being played out. The vulnerability have not been disclosed, so how can we know it really exists? For us, users, the outcome is the same: we are losing funds.
As for the alternative: when freezing an asset, freeze its accruing interests too.
1 Like
So that the liquidity providers can come in this thread and complain that theyâre paid a small interest rate for a higher risk, as high borrow usage on an asset means higher risk of pool insolvency (especially in a time when liquidations are not possible)? Yes, thatâs a good idea only if youâre just looking at yourself. And it is also a moot point as there is no function for pausing interest rates and there is no rationale in which that would be sensible, unless you want to up the risk in situations like these.
There is no perfect scenario here. There is no perfect solution. There is a security issue that needs to be handled. The only way to handle it is to temporarily pause the markets.
People come in here and are losing their mind, because theyâre panicking and not reading the whole thread all the while theyâre paying maybe 0.08% (30% APR) interest per day for a few days, which in their minds is worse than having ALL their funds stolen is just madness.
EDIT: Concerning the âhow can we know it really existsâ. Iâm sick and tired of the paranoia in the crypto community. A problem in communication while advertising crypto - if you tell everyone that central banks are evil and everyone in âhigh placesâ wants to make you a poor guy that blindly follows the system, then the system youâre advertising to become the opposite will quickly be seen as the same. This might not be your view @raphael but youâre uttering the same sentiment of that message.
I you are this paranoid I suggest you buy physical gold and a shovel and bury it deep in the woods. But look out for the bears, they might try to scam you.
2 Likes
You can very well tell me that you are the prophet and that I am paying 0.08% per day for my own good to avoid going in hell. The point is that I canât verify your claims. The whole purpose of DEFI is to be trustless.
You are saying that I am being paranoid, thatâs not the point.
What matter for the user is to have a predictable protocol. And we are facing an event with an unpredictable outcome where funds are lost.
So I wonder why the triggering of safety module is not an active discussion right now? Safety Module - Aavenomics
1 Like
Sorry but this reasoning makes no sense. A bug is not predictable by definition. This one specifically has been in production for a long time - even though the code has been audited by countless firms, hundreds of security researchers, hell even black hats, and nobody has been able to find it, it was found thanks to the effort of the DAO to keep the protocol security and their users to the highest standard by investing millions in an immunefi campaign. And if you really want to verify that the bug is there, the code is public AND immutable (nobody will ever be able to change the vulnerable code in the affected contracts, only replace them entirely) therefore you can 1. go check the contracts now and find it yourself 2. wait until the official explanation and verify yourself that it matches what was disclosed. There is no chance, literally ZERO, to hide anything here. Anyone can find the bug and disclose it right now and nobody could do anything about it, but guess what, it still cant be abused thanks to the actions that have been taken. Is the situation optimal? Far from it, but itâs the best that can be done at the moment to prevent any additional damage. It taught valuable lessons too (for example i agree it would be ideal in this situation to stop accruing interest, unfortunately this is not possible with the current version). Anyway the point is you will and you ARE able to verify every single claim thatâs in here given that everything happens onchain, therefore stop the conspiracy theories they have no sense. Ah, triggering the SM has no point, no funds were lost.
4 Likes
Right, we can verify in the future, I didnât think about that! Can I borrow your time machine so I can go and check it up very quick?
I hope my absurd answer is enough to make my point. 
According to some rough calculation I am losing 0.08% of my funds per day.
Reread what i wrote above, you clearly missed some sentences. You can verify RIGHT NOW. You can check everything that happened onchain. You can read every single proposal that has been submitted and check that there is no malicious behavior. You can check the code and find the vulnerability right now. If you donât know how to do it, this doesnt change the fact that you can. Itâs because you probably donât know how to do it that you will need to wait until someone does it for you, this doesnt change the reality that since itâs onchain, itâs transparent and verifiable at any time.
1 Like
Yes, I can also find the private keys of Satoshi Nakamoto if I am lucky enough. And discover the theory of everything during my morning coffee.
And beat all those smart people in the afternoon.
As we speak, it is not possible to distinguish the scenarios where A: it is a clever attack, B: we are mitigating a vulnerability risk.
My personal belief if you ask? I am 99% for B. But my beliefs doesnât matter.
What matter is the outcome.
In both cases the user lose funds.
The point is the protocol is likely to be applied differently depending on A or B:
- A: the safety module will likely be triggered
- B: the safety module will likely not be triggered
The triggering of the SF should not depends on this. The same causes (user lose funds) should produce the same consequences (safety module activation).
So let me get this straight, you are claiming that something is not verifiable just because you donât know how to verify it. Makes sense. And this statement:
is plain false, and it simply comes from your ignorance on the matter. You can in fact verify that this is not a clever attack. I just explained how to do it. Itâs just that you donât know how to do it. There are plenty of people in here that can though.
At least this shows you reread what i wrote above, even though you still managed to miss the point. Oh well.
Regarding your 0.08% of funds (which you still need to subtract the interest you would have paid anyway, aint cheap these days), you are free to create a proposal or open a discussion to handle this situation.
1 Like
How convenient it is that the protocol relies on this very ignorance right now to stay safe. But at the same time everything is verifiable, and therefore this is not an attack. Your reasoning is utterly absurd.
I expressed my view and hope it will reach a sense-full audience. In the mean time I believe there is no point in continuing to argue with you.
Have a good day.
Again, this is false. The actions that have been taken (pause and subsequent proposals to fix the problem) keep the protocol safe. Nothing else. Thatâs the whole point of everything that happened.
You are claiming this might be some sort of convoluted attack vector:
Which, again, is completely false and easily verifiable on chain.
Your view is based on factually wrong assumptions. And when someone points out they are wrong, you deny rather than trying to actually understand.
Couldnt agree more. Take care
This thread just gets worse and worse. People are upset, defensive, and hurt and rightfully so. Rather than attack each other, can we please just come to a solution where affected users are compensated somehow? This whole issue flipped peopleâs week upside down and I hope there can be more understanding rather than defending a shitty situation with a less shitty situation. Please, I hope there is simply a better solution than all we can do is unfreeze your assets and we put this behind us.
Why arent we using the safety module for this? The conditions apply.
1 Like
When i will be able to withdraw stETH from eth v2?
Shouldnât i be able to withdraw if i donât have any loan?
i get this message when i try:
âThere was some error. Please try changing the parametersâ
Aave v2 ethereum pool is currently frozen, check the timeline here: Aave v2/v3 security incident 04/11/2023 - #55 by bgdlabs - on monday you should be able to withdraw.
Hello there,
Any ETA on unpause assets on Avalanche? apparently it involves manually action by the guardian, and nothing is mentionned about Avalanche V3.
Also, can asset be liquidated while paused? or we will get a grace period?
Thanks
Thank you for the summarized situation outlook!
If voting for #359 ends at 11 Nov 2023, 01:52 UTC, why do you say it is estimated to execute at November 12th, 2023, 07:30-09:30 PM UTC? It canât be due to avg block time variation. Am I missing something (sorry new to aave gov)
Hello, @cryptodbs .
As we pointed out in the previous recap here Aave v2/v3 security incident 04/11/2023 - #55 by bgdlabs, it will be possible to unpause the assets currently paused on v3 Avalanche on November 12th, approximately at 9:30 PM UTC.
While paused, the asset canât be liquidated. And on Aave v3 instances, there is no grace period available, as introducing the Liquidations Grace Sentinel was not possible compared with v2 Ethereum.
Hello @gaia . Voting for #359 will end tomorrow 10th November, and afterward, there is a timelock of 48 hours. So that is why execution will be on the 12th.
Imprecision due to block time considerations only affects during the voting period (measured in blocks), but not on timelock (measured in seconds).
1 Like
Hi @bgdlabs
Thanks for your reply.
From what I see, itâs unclear on Avalanche, could you confirm the 12th november? As I read
Blockquote
Proposal 359 Multichain Stable Debt Token Upgrades
- Created: November 06, 2023, 09:30 PM UTC
- Estimated execution time: November 12th, 2023, 07:30-09:30 PM UTC
- The goal was?: full protection for the vulnerability of all assets being upgraded
- What does it unblock?: it will be possible to unpause all assets on v3 Polygon apart from CRV, v3 Avalanche, v3 Optimism and v3 Arbitrum.
So itâs unclear if you mean all assets will be unpause apart from CRV, or appart from CRV, v3 Avalanche, v3 Optimism and v3 Arbitrum.
Could you clarify please.
Thanks