Aave Periphery Arbitrary Call Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Aave Logo/Homepage

Aave is one of the largest liquidity protocols on the blockchain. Periphery contracts assist with users interacting with the protocol, but are not part of the core contract. Over time, these contracts have gradually accumulated dust from transactions that impacted the protocol. On August 27th, the built up dust was removed through an exploit of the smart contract. No user funds were lost in this exploit.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]

About Aave

"Aave is a decentralized non-custodial liquidity protocol where users can participate as depositors or borrowers. Depositors provide liquidity to the market to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion."

"Aave is one of the largest DeFi protocols with billions of dollars in weekly volume across Ethereum and 12+ networks."

"Peace of mind supported by multiple audits by the world’s leading security firms." "Security is a top priority. Report vulnerabilities or bugs responsibly and get rewarded."

The Reality

"The [periphery] contract has slippage protections, but full dust cleanup from itself is not a feature, and dust has been accumulated after a long period of time and numerous transactions. No funds were extracted from any user in these transactions, and all users funds are totally safe in what relates to Aave."

"The vulnerability in the _buyOnParaSwap function which has several issues. It approves assetToSwapFrom tokens based on amount of maxAmountToSwap, but make arbitrary call on a different amount in paraswapData. So the attacker can craft a small swap data but a very high maxAmountToSwap which will leave a very high allowance left for tokenTransferProxy after the swap."

"ParaSwapRepayAdapter, isn’t part of the core Aave protocol and appears not to have been audited. It allows users to repay borrow positions using existing collateral, swapping assets via decentralized exchange ParaSwap.

While the contract itself isn’t designed to hold user funds, the positive slippage on swaps leads to a gradual accrual of any leftover tokens."

What Happened

"The DeFi lending platform Aave was attacked due to a contract vulnerability. The attack occurred in a smart contract outside of Aave's core protocol, which is used to allow users to repay loans using existing collateral."

Key Event Timeline - Aave Periphery Arbitrary Call Vulnerability
Date Event Description
August 27th, 2024 10:29:11 PM MDT Attack Blockchain Transaction The time of the attack transaction, which is the blockchain transaction which drains the periphery smart contract.
August 27th, 2024 10:53:00 PM MDT Chaofan Shou Tweet Chaofan Shou posts a tweet with additional information about the exploit and vulnerability.
August 28th, 2024 1:54:00 AM MDT Tip Jar Raid Analogy Aave founder Marc “Billy” Zeller analogizes the attack to raiding the tip jar.
August 28th, 2024 4:09:00 AM MDT More Detailed Analysis A more detailed analysis is posted on Twitter to go over the exploit details.

Technical Details

"The attacker exploited an arbitrary call error, successfully stealing around $56,000 from these various contracts."

"The popular defi lending platform, Aave, suffered a smart contract exploit that allowed an attacker to steal around $56,000. A smart contract outside of the core Aave protocol, which is used to allow people to use existing collateral to repay their loans, had gradually accrued a balance of tokens leftover from slippage. These small leftover token amounts are sometimes called "dust". Altogether, these tokens amounted to around $70,000 across several blockchain networks."

"An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000."

Total Amount Lost

"An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000."

"According to analysis by security firm QuillAudits, the losses to attacks on the above networks totaled approximately $51,000. A further attack on Avalanche netted around $5,000. Funds were forwarded to a holding address on all networks."

The total amount at risk has been estimated at $70,000 USD. The total amount lost has been estimated at $56,000 USD.

Immediate Reactions

"Aave, which contains assets worth over $11 billion according to data from DeFiLlama, has made clear that the attack, which began, around 04:30 UTC placed no user funds at risk. Founder Stani Kulechov and governance delegate Marc Zeller both took to X (formerly Twitter) to reassure users."

"Aave representatives emphasized that the attack posed no risk to user funds and did not affect the security of the core Aave protocol." "Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as "raiding the tip jar"."

"Following the hack, Stani Kulechov, the founder of Aave, along with other key figures, took to social media to reassure the community. Kulechov described the incident as a "tip jar arbed," indicating that the loss was not significant in the broader context of Aave’s operations. However, the incident sparked a renewed debate within the DeFi community."

"For precaution, the maintainer of http://app.aave.com (Aave Labs) has temporarily disabled those features and any other of similar nature while we finish the research."

Ultimate Outcome

"In response to questions about the origin of the funds stolen, Aave delegate Marc Zeller said, “Someone raided the tip jar.”

Aave development contributor BGD Labs later responded with more detail, informing users that losses were limited to the affected contracts and couldn’t spread to the wider protocol. The post also highlights that there’s no risk of a token approval-related attack."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Sep 18, 2024)
  2. "Peripheral" Aave smart contract hacked for $56,000 (Accessed Sep 19, 2024)
  3. "Peripheral" Aave smart contract hacked for $56,000 (Accessed Sep 19, 2024)
  4. Aave hacked via periphery contract — $56K stolen from ‘tip jar’ (Accessed Sep 19, 2024)
  5. Aave | Aave (Accessed Sep 19, 2024)
  6. Security | Aave (Accessed Sep 19, 2024)
  7. Safety Incentives | Aave (Accessed Sep 19, 2024)
  8. @shoucccc Twitter (Accessed Sep 19, 2024)
  9. DeBank | The Real User Based Web3 Community (Accessed Sep 19, 2024)
  10. aave-v3-periphery/contracts/adapters/paraswap/ParaSwapRepayAdapter.sol at master · aave/aave-v3-periphery · GitHub (Accessed Sep 19, 2024)
  11. @lemiscate Twitter (Accessed Sep 19, 2024)
  12. @bgdlabs Twitter (Accessed Sep 19, 2024)
  13. Aave Hacked: $56K Stolen from Periphery Contract | User Funds Safe (Accessed Sep 19, 2024)
  14. AAVE ParaSwap Repay Adapter Hack - by TK - Verichains (Accessed Sep 19, 2024)
  15. @justicedotxyz Twitter (Accessed Sep 19, 2024)
  16. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 19, 2024)
  17. Aave Document Hub | Aave Protocol Documentation (Accessed Sep 19, 2024)
  18. Address 0x6ea83f23795F55434C38bA67FCc428aec0C296DC | Etherscan (Accessed Sep 19, 2024)
  19. Aave: Repay With Collateral Adapter V3 | Address 0x02e7b8511831b1b02d9018215a0f8f500ea5c6b3 | Etherscan (Accessed Sep 19, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Aave_Periphery_Arbitrary_Call_Vulnerability&oldid=6128"