A thread for discussion relating to AIP-44.
So as there is no real clarification I’m just asking it.
Is the aave protocol vulnerable to the same attack as the cream protocol just had 2 days ago?
If potentially yes, why have the users not been informed.
Will there be another audit regarding these special token/markets or will there be a general audit regarding possible security issues?
Will there be a post mortem thread regarding this AIP where everything will be explained?
Yes, although it would be currently quite unprofitable for the attacker, and has been that way for a while.
Kyber Legacy? Why can people borrow against that old token with almost no liquidity? It sounds like this could be an entry point for a similar hack as well.
although the manipulation in a similar fashion as the Cream attack is technically feasible, there is no known way it could be made profitably within the current market conditions. There aren’t enough SUSHI/xSUSHI on the market to manipulate the xSUSHI price enough to perform the attack profitably. It would require some big actors to collude (including the SUSHI team) to actually attack the system. The users have been informed here https://twitter.com/AaveAave/status/1454119658840367114.
This is an unforeseen attack surface involving very complex dynamics. Even with security as top priority as always, covering all the potential attack surfaces (even extremely complex ones like this one) is of course very difficult. Part of the security of the Aave protocol is also how you respond to unforeseen issues, and the community has reacted extremely quickly to this one. The only two assets that could potentially bring issues within the context of this attack surface are DPI (which anyway has been considered secure - it’s only be disabled for borrowing as a precaution, to give more time to review any additional security risk) and xSUSHI. Other assets have completely asynchronous oracles (including Kyber legacy @alkaid ) and cannot be manipulated with this attack.
So AIP-44 is meant to remove the vulnerability that was used to exploit C.R.E.A.M., but only changes Aave on mainnet. Do Aave users on Polygon or Avalanche have anything to worry about here?
Really appreciate your great response to that. So for me this means the community and DAO is working perfect. Which is aavesome.
Lets stay safe and help building!
The Avalanche and Polygon market are unaffected.
Okay great, thank you. Just to clarify, which are you saying?
- Avalanche and Polygon are unaffected by this governance proposal
- Avalanche and Polygon are unaffected by the vulnerability
they are unaffected by both :)
I have xSushi as the only collateral to borrow other token. By what time do I have to close the positions/deposit other collateral, so I don´t get liquidated?
You don’t need to close your position because of that proposal.
You will not be able to borrow xsushi any more but there’s no effect on existing borrow positions. The proposal doesn’t change collateralization.
It looks like DPI is still available on CREAM polygon - does this mean CREAM polygon has the same vulnerability?
DPI is considered safe, but the implementation is technically complex. It has been disabled for the time being to do a full review of the implications of their implementation, but it was not vulnerable to the same potential abuse as xSUSHI in the first place.
It would be nice if the AAVE UI (Aave - Open Source Liquidity Protocol) showed the TX(s) where it was executed instead of just saying Executed and leaving users needing to go on a goose hunt to find the transaction(s).
If I have a position in the AMM market, such as UNI WBTC/USDC, what limitations do I now have due to this proposal passing? For example, can I withdraw my UNI WBTC/USDC LP tokens? Could I add more UNI WTBC/USDC LP tokens? Can I still borrow using my UNI WBTC/USDC LP as collateral?
you can withdraw - you can’t borrow or supply more. This is to avoid any unforeseen issue with the AMM market, as the new unforeseen attack surface needs to be evaluated across all the assets. Hopefully the AMM market will restart soon.