Aave v2/v3 security incident 04/11/2023

As a follow-up on the previous communication, we can confirm that the unpause of v3 pools is still programmed to happen today between 14:00 and 15:00 UTC (in ~1-2h).

The exact hour is not predictable, as it depends on operational aspects of the Aave Guardian and verification procedures, but we will keep updating the community here.

1 Like

We can confirm Aave v3 Avalanche and Optimism have been un-paused, and they are fully operational again.

Polygon and Arbitrum will follow in the next few minutes.

3 Likes

Thanks for your works :+1:

We can confirm Aave v3 Arbitrum and Polygon have been un-paused, and they are fully operational again.

Now all Aave v3 instances are operational, with the sole exception of the CRV assets on v3 Polygon, which will be tomorrow.

4 Likes

Following the plan, tomorrow Aave v2 Ethereum will be unpaused, during the UTC morning, depending on operational coordination with the Guardian.

Additionally, as disclosed on [ARFC] - Authorizing Use of Grace Sentinel - #6 by ChaosLabs, the risk providers have recommended a 3 hours liquidations grace period for the WETH asset, during which users with WETH collateral or borrowings will be able to repay or refill their positions, without getting liquidated.

Given the operational aspects surrounding the Guardian, these 3 hours could be slightly higher or lower. We recommend all WETH holders follow our update in this forum, especially tomorrow morning UTC.

1 Like

As an update to the community, the liquidations grace period on Aave v2 Ethereum has been set by Guardian to 14:30 UTC, slightly more than the 3 hours recommended by risk providers from now.

Unpause of v2 Ethereum will follow, which will mean that v2 Ethereum will be fully operational again, but users with WETH will have a 3-hour grace period to protect their positions.

1 Like

Aave v2 Ethereum has been unpaused by the Aave Guardian. Again, if you are a WETH user, it is possible to protect your position.

1 Like

I’m sorry if this has been properly explained, but I want to make sure I understand what will happen (after everything is resolved) to preexisting loans with stable rates on v3.

As far as I understand from the proposals executed, after the unfreezing the already existing loans with stable rates have only the options to be repayed or switched (to a variable rate loan).

Will the loans stay like that permanently until users do either of those for the totality of the borrowed amount? Or will any other action be taken without user interaction at some point? (like switching to variable rate).

As of right now, evidence shows that @antheezy was NOT liquidated during the pause, and thus we believe there should be no compensation in this regard.

2 Likes

Hello @Links. Currently, stable rate opened positions are not affected by any of the steps taken, but they can’t be increased (borrowing more) or new ones created; they can only be repaid or switched to variable, as you point out.

Any further measure will depend on governance, but from a technical perspective our opinion is that having asymmetric features is not ideal, and we will study the case in the upcoming days.

1 Like

Can you show me where MATIC was correcting last week? According to coingecko it was up only and had no major correction which could have led to a liquidation, unless your HF was very low anyway.

2 Likes

I think I wasn’t clear enough.

The Aave DAO governance forum is not a chit-chat platform.

This is a thread about the security incident, in the development section of the forum, it is meant to give technical updates about this event.

There’s a governance section in this forum with a [ARFC] ARFC and TEMP CHECK Framework.

In this section there’s already a standard TEMP CHECK proposal to discuss consequences & compensation post event.

So @JohnSmith @Aave_truetocaesar @Links @EzR3aL why are you polluting the dev section with non-technical philosophical debates?

Go to the related section. follow the governance guidelines.

Don’t mix maintaining order with censorship, this forum will not tolerate chaos but every opinion, and every proposal following the guidelines are welcomed.

4 Likes

Is this normal that CRV assets on v3 Polygon are still paused?

1 Like

As the last step in the set of planned actions, we can confirm that Guardian has unpaused CRV on Aave v3 Polygon.

This means that all Aave v2 and v3 pools operate normally, without exception.

1 Like

Hi , do we have any plan to post this security incident’s detail?

Hello @zhaojohnson . Yes, we will be publishing more details in the upcoming days, together with different proposals for improvements

Wont that attract every single hackers out there to try attack the vulnerable area?

What if there is one tiny area which the team think they have fixed but in fact have not?

I suggest waiting for 3-4 months before releasing the detail to public.

Safety over EVERYTHING.

From white-hacker’s perspective/experience, I don’t think there will be significant funds (>$100K) at risk.
All they had to do was to switch off stable mode and protocol teams are quite vigilant, compared to normal users.

Hello, as all markets & assets are now unpaused & unfreezed, we’re closing this topic.

Feel free to go to the Aave Labs discord if you need support.

If you want to discuss more on the governance side, a standard TEMP CHECK has been published to discuss this: [TEMP CHECK] Qualify the security incident 04-11-2023 as a shortfall event

The next technical step will be the publication of the postmortem in the near future, a complex technical issue like this one requires quite some time & resources to establish a report on, so please be patient for this publication.

On the governance side, the ARFC to compensate the Whitehat that protected the protocol and its users will also be published in the near future.

We would like to express our gratitude to @bgdlabs for coordinating and fixing this issue, which resulted in the best possible outcome.

1 Like