Harmony Horizon bridge exploit. Consequences to Aave V3 Harmony

In general, it seems to me that you’re being very hand wavy as to Aave’s responsibility in this matter. This not only muddles the debate about how to respond with the Safety Module but also impedes taking a deeper look into where Aave failed and how it could become more robust going forward.

As an example, let’s take the oracle issue, which you describe as follows:

Here you’re framing it as if Chainlink in fact provided feeds for the bridged assets but they just happened to use the price of the underlying for strategic decisions. This is simply wrong. The fact is that Chainlink doesn’t offer feeds for those bridged assets and Aave governance decided to treat them as if they were the underlying. This is basic and is both a failure from a governance and technical perspective. And you should describe it as such.

Exactly, if this is part of the intention we should be as critical as possible and clearly expose where Aave failed. You haven’t done this, or at least not properly.

The fact that the Harmony plan won’t solve the issue has nothing to do with whether Aave is assuming its responsibility in the issue. Not at all. And by the way, I never said the Aave community, I said BGD and Monet. Fyi: I’m part of the Aave community (as a stkAAVE holder) and have no funds whatsoever on Harmony, so I’m not coming for funds, my intention with the post was to incite a deeper reflection into what went wrong from the Aave perspective, which seemed lacking.

2 Likes

Good day all,

Given current situation of Harmony, I believe the outcome of the proposal is clear - no reimbursement.

I think we should start to conclude AAVE’s position towards this incident. Specifically:

  1. Is AAVE safety module applicable in this case?
  2. If SM is applicable, does it apply to all assets or only for non-bridged assets?

We have to come to a conclusion, even hypothetically, as this case study would certainly set a precedent to AAVE’s position in the future. The decision is probably going to put investors’ confidence to test one way or another. Regardless, we have to take our stand here.

Thank you.

2 Likes

Ya. The assets will not be repegged and the reimbursement will not happen.

We need to come up a solution within Aave. My questions:

  1. How much total crypto do we still have on Aave?
  2. Could we redistribute these crypto to lenders?
  3. Could we identify those wallets that exploited Aave and seize their collateral?

Hello,

Aave V3 Harmony market is not covered by the Safety module,

Currently and according to governance votes, only Aave V2 Ethereum market is covered by the Safety module. votes are currently ongoing to expand support of the safety module to ARC, Polygon V2 & Avalance V2 markets.

Please pardon me for phrasing my questions in the wrong way, my questions were raised specifically in response to @bgdlabs’s post:

I imagine your response would have been the same. Let me know if there’s still room open for discussion to this topic.

Thank you.

Hello,

Your frustration is understandable, AAVE indeed didn’t take immediate action to prevent further lending after the exploit. There was a ARC that takes time to vote, thus the delay in the action.

In regards to your statement:

The withdrawal is not locked, there’s 0 liquidity for you to withdraw as it’s 100% borrowed.

Really good question @trannguyenquy, we are all here waiting for something about it.
AAVE is losting reputation for just 1.5M funds…

1 Like

It was sad to see that Aave was accepting deposits for a month after the hack and listing a 1000% APY lol.
Lending was stopped but supply side was left wide open

4 Likes

We believe that the SM shall not compensate for the loss of the Aave V3 Harmony market. As stated by @MarcZeller, only Aave V2 on the Ethereum Network is covered by the SM. This criterion is voted on and approved by the governance. Therefore, it should not change, at the moment, unless a new governance proposal is discussed and approved. Not because Aave is irresponsible for the loss fund, but because this is what the current governance had agreed on.

2 Likes

A couple questions here:

  1. When did the vote that decided the Safety Modules would only cover Aave v2 Ethereum market happen? Was it before or after the Harmony deployment?
  2. Were users of Harmony aware that they wouldn’t be covered by the Safety Module? Was this highlighted anywhere?
  3. More importantly, should we do what is right or what was agreed a long time ago (probably in a completely different environment and context)? Isn’t DeFi supposed to be a more humane, fair financial system? Are we just gonna use the same fine print bullshit techniques used by TradFi for centuries just to avoid assuming responsibility for this issue?
2 Likes

long long before. The SM policy was set at the launch of the initial V2 ETH market. The first updates to it (covering the other V2 markets) are being voted on now in Snapshot.

It is the responsibility of those using a system to understand it. That is part of what comes with permissionless DeFi.

Anyone is able to propose a governance action for the DAO to vote on. If you feel there is action the DAO should take, write a proposal, bring to vote, and author/deploy the payload. This openness is why DeFi is different.

1 Like

@oneski22 Can you please share the doc that specifically stated SM only apply to V2 ETH market?

1 Like

As an update for the community, we have verified that the Guardian has executed the freezing of all assets on Harmony, following the approval of the governance HERE.

What this changes in practice is that the Aave smart contracts don’t allow to deposit on Aave v3 Harmony anymore, as borrowing was already not enabled.
It is important to highlight that withdrawal is still possible.

8 Likes

What will be the next step?

1 Like

“withdrawal is still possible” is not completely right, until borrow will be repayed in reality “withdrawal is still NOT possible” !

1 Like

This an opinion from the Harmony Community Forum:

The problem with Aave lies with Aave. They are the responsible party for relying on a faulty price oracle and not responding to the bridge hack fast enough. It took them weeks to decide to stop borrowing and then reduce interest rate. Now they are trying to wash their hands of the problem by blaming harmony for allowing the bridge to be hacked.

If you are expecting harmony to respond to this you then you are expecting harmony to fix somone else’s problem.

1 Like

My assets are frozen on AAVE and I was also removed from the Discord server for expressing my discontent with the situation.

Unfortunately my situation looks exactly the same as being a Celsius customer. Only exception is that I’m now receiving regular email updated about court proceedings.

Here I know nothing about the outlook and what should I do? Do I own any cryptocurrency that is locked on AAVE or do I not own it anymore?

1 Like

What are the update regarding this issue? Investors funds are currently locked for withdrawal on the ONE lending since the utilization is 100%. When do you plan to release the funds?
You did not anticipate such exploit by chosing chainlink oracle and you took very long time to react after the bridge hack. On the other side, tranquil finance reacted very quickly and users are able to withdraw their ONE. Fault is fully on aave and something should be done asap to restore user funds, especially when the app is showing a tab which let the user think that the sm is applicable and that their funds are safe in case of any exploit (as the one which happened)

What are the concrete actions you are going to do? Currently situation is even worse than celsius: no update apart from disabling borrowing and removing the return.

Many users got tricked by the high interest displayed during a long period of at least 3weeks. Is it worth it to ruin aave reputation?

Thanks

3 Likes

disclaimer: The following post is reflecting my personal opinion as an individual & Aave token holder and is not representative of the Aave companies in any form.

To be honest, my initial opinion was “Harmony fucked up and failed to protect their users, If governance agrees we should take the punch & loss, pay back users in stables and keep the harmony Aave market frozen and I’ll vote accordingly”

but I have to voice my concerns that “expectation of bailout” is not really something I’m comfortable with, the whole crypto ecosystem’s origins is a reaction to what happened in 2008, crypto is not supposed to replicate traditional finance but provide an alternative to it.
If we allow a system where actors take all the risks, and cash in the profits but in case of something bad happening, they can legitimately rush to nanny protocols and ask for their money back, are we any better than Banks and governments?

in this situation, I’ll be clear, Harmony failed their users, failed at building a robust bridge & failed at providing a clear answer in a short delay (1 month to tell users their solution is BRRRR) that lead to slower reactions of protocols on top, making bad things worse.

but in every case, there are two ways to make money in this world, 1) is hard work 2) is taking some risks. anyone telling you there is a third option is a scammer.
using Harmony was a risk, and now that risk materialized.

to answer to that risk, a bailout has never been a mandatory option. The safety module doesn’t cover Harmony V3 (the currently supported market is Aave V2 ETH, Polygon & Avalanche + Aave ARC) and any bailout would require a specific AIP vote.

As people that took a loss need Aave governance approval to get a second chance to nullify the consequences of a risk taken, I would kindly advise some to change gear in their entitled & aggressive attitude towards Aave on here. because I’m still personally in favor of supporting Aave Harmony users while being firm on the fact that Aave worked as intended,

but at this point, I might be a few aggressive posts away from changing my personal vote if an AIP is deployed on this topic.

What do we have to do for the AIP to be deployed in this topic Marc? Thank you