[ARFC] GHO Technical Incident 13/11/2023

As a result of the GHO bug bounty program, we received a report on November 13, 2023, from Immunefi about an issue which could impact the GHO integration on Aave V3 Ethereum. Following a thorough analysis, we are able to confirm that the issue is valid, however, its potential impact is limited and negligible. The issue does not pose any risk to the Aave Protocol or to user funds. To address the issue, we developed a technical patch in collaboration with Certora. This patch provides a permanent solution without altering any of the existing GHO features within the Aave Pool. Importantly, users are not required to take any action.

Further details will be communicated to the community post the successful execution of the AIP, leading to the full resolution of the issue.

6 Likes

Summary
This post serves to offer the community more insights into the vulnerability report received on November 13, 2023, through Immunefi. Now that all security protocols have been concluded and the issue has been successfully resolved, we can unveil additional details, shedding light on both the identified issue and the specific patch that was implemented.

We appreciate the community for their collaborative effort in applying this essential patch. Their support was instrumental in achieving a successful resolution without adverse impact to the Aave Protocol and GHO.

Technical issue
Per the report, a user could have illegitimately altered the discount percent on their GHO borrow rate. This could have been achieved through the transfer of discount tokens (e.g. stkAave) to themselves, a maneuver commonly referred to as self-transfers. In this scenario, a user would be able to increase their discount percent, consequently reducing the final GHO borrow rate of their position up to the maximum discount rate, which currently stands at 30%.

The root cause of this issue lay in the incorrect logic within the transfer hook of the discount token. Specifically, the logic in question double-counts the balance of tokens during a self-transfer, leading to the undesired update of the discount percent. This inaccurate code was situated in the integration of the GHO VariableDebtToken contract with the StkAave contract, designating this contract as a candidate for an upgrade to rectify the identified issue.

Immunefi Bug Bounty Program
Following our analysis, we categorized the issue under the impact of "Manipulation of interest rates (supply or borrow) with mechanisms not intended by design”, attributing a Medium severity to it. In alignment with the bounty page, the corresponding reward for this submission is set at USD $10,000 and it is designated for the security researcher Borosorus.

The bounty payout is part of the first batch of Immunefi bounty payouts, as proposed by BGD Labs and outlined in AIP 413.

Timeline

Date / Time Details
November 13th at 17:14 CET The Aave Bug Bounty Program on Immunefi receives a report concerning the discount mechanism of GHO variable borrow rate.
November 13th at 17:29 CET The vulnerability report is considered out of scope and automatically closed.
November 13th at 22:39 CET BGD re-opens the report, rectifying the wrong action of the Immunefi automatic agent.
November 13th at 22:43 CET Aave Labs begins investigation into reported vulnerability submission.
November 14th at 08:55 CET Aave Labs confirms an issue with the integration of GHO VariableDebtToken contract and StkAave contract, and starts technical assessment and risk analysis.
November 16th at 09:41 CET Aave Labs gets in contact with security service provider Certora to disclose technical details.
November 16 - December 7 Aave Labs and Certora continue with security procedures and develop a fix for the GhoVariableDebtToken contract.
December 7 22:34 CET AIP 399 is created for resolution of the technical issue in the GHO integration with the StkAave contract.
December 12 15:19 CET AIP 399 is executed, issue fixed and investigation remediated.
December 15 10:50 CET AIP 413 is created for the bounty payout to the security researcher.

Resolution
The repercussions of the identified issue are contained, with the only notable impact being a potential reduction of interests on the GHO reserve. This, in turn, could lead to a decrease in future earnings for the Aave Treasury. Importantly, our analysis revealed that the issue was not exploited, meaning that no one took advantage of the vulnerability to illegitimately decrease their GHO borrow rate.

Considering the limited impact and the nature of the issue, there were no discernible risks for the protocol or its users. Security procedures were meticulously applied to resolve the issue, coupled with an exploration of potential edge cases related to it. Following thorough analysis and testing, no other edge cases or related issues were uncovered. Collaborating with Certora, we refined the Formal Verification and conducted additional security checks, including mutation testing.

The resolution, executed through AIP 399 on December 12, 2023, involved upgrading the GHO VariableDebtToken contract with patched logic. The accounting logic of the transfer hook for the discount token is now accurate, encompassing all transfer cases, including self-transfers.

We extend our gratitude to the community, BGD Labs, Certora and the security researcher Borosorus for their collaborative efforts in identifying and promptly resolving this issue.

5 Likes