Aave cooperates with forks following vulnerability

When Aave found a vulnerability in its code, multiple projects inherited the security flaw

by Jack Kubinec /
article-image

Akif CUBUK/Shutterstock modified by Blockworks

share

DeFi lending protocol Aave is a popular candidate for “forking,” whereby developers take open-source code and launch a spinoff. 

But when its bug bounty program unearthed a potential vulnerability in Aave’s code, the exploit route wasn’t made public. 

Aave’s council of community guardians froze certain assets and markets on Aave after learning of the bug on Nov. 4. 

Over the following week, Aave DAO’s service provider bgdlabs made proposals to disable stable rate borrowing and end the minting of stable debt where borrowers would pay fixed rates in the short term that could be rebalanced later.

Aave lending markets returned to normal on Nov. 13 after the proposals were executed. But what about the forks that inherited Aave’s apparently exploitable code?

Bgdlabs wrote in a forum post that it had reached out to every Aave fork to offer advice on protection measures after the vulnerability came to light. At least three dozen projects have launched as spinoffs of Aave V2 or V3’s public code, per DeFiLlama.

“This is something that you see in computer security a lot,” said Luke Youngblood, founding contributor at the Moonwell lending protocol. “Say Apple or Google needs to tell smartphone manufacturers or other vendors in the space about a vulnerability that impacts their software or their solutions. They have to do this in a confidential way so that they don’t alert the hackers to where the hole is before it can be patched.”

The two largest Aave forks by total value locked (TVL), Spark and Radiant, both worked with Aave to double-check code for vulnerabilities, Marc Zeller, the founder of delegate platform Aave Chan Initiative, told Blockworks. 

Of the other forks, several posted on X that the platforms weren’t at risk — including Moola, which paused twice and removed its stable borrow function as Aave dealt with the vulnerability.

Bgdlabs said on Aave’s forum that it was helping Aave forks patch their code in keeping with DeFi’s communitarian ethos. 

“Even if we don’t have any responsibility to them (we are not providing services), we think the Aave community should show good values, as leaders in the space,” bgdlabs said of the forks.

Shira Brezis, co-founder of the DeFi risk and security firm Redefine, said Aave’s cooperation is par for the course in DeFi, noting that she’s in a group chat with some of her own company’s competitors. 

And perhaps the goodwill trends both ways — last week, Maker, of which Spark is a subDAO, passed a proposal to share some of Spark’s revenue with Aave. 

Aave also stands to gain from not seeing forks succumb to exploits.

“When users lose funds, it’s a bad outcome for everyone in the DeFi space. It makes people think crypto is insecure and makes them think it’s a hotbed for hackers,” Youngblood said.

In a Telegram message, bgdlabs’ co-founder Ernesto Boado said an eventual public disclosure of Aave’s code weakness “depends on different factors” and that their team “tried our best to notify forks” about the vulnerability.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Digital Asset Summit 2025

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates (6).png

Research

THORChain: The Prices are Going Higher

In recent months, a number of highly accretive developments were implemented across the protocol to improve fee capture, expand product functionality, and ultimately drive value accrual to the RUNE token, with more upgrades on the immediate horizon. These developments include hiking the minimum swap fee parameter to increase revenue, adding a Burn System Income Lever to reduce the RUNE supply, the addition of COSM-WASM smart contracting and IBC to enable an application layer, new chain integrations, and more.

by Luke Leasure

/

news

article-image

Policy

Binance exec Tigran Gambaryan denied bail in Nigeria

Former IRS agent and Binance executive Tigran Gambaryan will remain imprisoned in Nigeria’s Kuje prison

by Katherine Ross /
article-image

Web3

Politics and memecoins drive the conversation on day 2 of Permissionless

When Permissionless III wraps on Friday, there will be 26 days left until the 2024 presidential election

by Casey Wagner /
article-image

Forward Guidance Newsletter

Latest inflation data comes in hotter than expected, led by housing costs

Plus, an update from the ground in Salt Lake City at Permissionless III

by Felix Jauvin&Ben Strack&Casey Wagner /
article-image

Policy

SEC files lawsuit against crypto market-maker Cumberland DRW

The US regulator accused the crypto market-making firm of acting as an unregistered dealer

by Michael McSweeney /
article-image

Sponsored

TRON DAO hosted the TRON Builder Tour at Columbia University with Blockchain at Columbia and Boston University Blockchain

The 12-hour event attracted over 120 sign-ups

article-image

Lightspeed Newsletter

Stripe reintegrates crypto payments in the US

Customers can pay merchants in USDC or USDP on Ethereum, Solana, and Polygon, while US-based merchants are paid in dollars

by Jack Kubinec /