Hi everyone -
We at Chaos Labs would like to echo the concerns of @pauljlei and @onetruekirk regarding the seriousness of these potential attack vectors. Over the past few days, we have been running simulations to understand the magnitude of the concern for low liquidity assets on Aave and the potential profit opportunity for a malicious actor.
What we’ve found is that with sufficient capital deployed ($100m+ starting capital), we believe a number of these markets could be a vector for the attack via methods similar to those laid out by Avraham with looped borrowing and illiquid price manipulation on multiple venues. The near-term revenue opportunity does not offset the potential.
As @onetruekirk mentioned, expediting the upgrade to Aave v3 would help mitigate a number of these concerns by utilizing Isolation Mode & Supply/Borrow Caps. Supply Caps, specifically, would put a cap on the ability to “loop” borrowing as described in the attack under consideration. One major question discussed during this analysis is at what threshold of capital deployed for an attack should the community be comfortable when determining Supply Caps and token parameter setting. We do not have a firm opinion here yet and will provide more thoughts as we begin launching parameter recommendation and asset listing tools in the near future.
As v3 launches on Ethereum, we would recommend the community discuss options to incentivize users to shift borrow and liquidity for low-liquidity assets from v2 to v3 as quickly as possible.
Chaos’s thoughts:
- We would be in favor of turning off REN and ZRX as collateral immediately as we review the other assets and discuss the strategic options (i.e. BAL) with the community
- Acknowledging the DAO2DAO relationship with BAL, the asset does still pose a risk that should be strongly considered for mitigation via pausing or reduction in LTV
- We are still working through DPI, but the comments above regarding redemption make sense to leave it as is for the moment
- In general, we would push for a more conservative stance with target assets as Aave migrates to v3