Original - Odaily
Author - Azuma
On November 4, the leading lending project Aave officially announced on X that it had received reports of vulnerabilities in some functions of the protocol. After verification, community developers decided to initiate temporary preventive measures.
According to subsequent reports published by Aave in the governance forum, this vulnerability did not cause any financial losses, and all liquidity pools in the market were properly protected.
Regarding the details of the vulnerability, Aave currently only disclosed that the vulnerability is related to the stable interest rate lending model. Potential attack targets include the V2 market on the Ethereum mainnet, as well as certain assets in the V3 market on Optimism, Arbitrum, Avalanche, and Polygon.
It is worth mentioning that when explaining why he did not disclose more details, Aave said: Since there are still quite a few projects on the market that are forked from Aave, Aave has decided not to release complete details about the vulnerability yet. Once the team feels it is their responsibility to disclose it, Aave will publish a detailed explanation of the vulnerability and the course of action from disclosure to fix.”
This operation of Aave can be said to be quite subtle. Of course, it is understandable not to disclose the details of the vulnerability to prevent hackers from exploiting it first, but doing so also means that a large number of projects forked from Aave are still unable to learn the details of the vulnerability, and may even still be carrying the vulnerability themselves. Streaking”.
As for whether the forked project can obtain more information from the Aave team privately, it all depends on whether Aave is willing to share information. After all, Aave and the forked project are essentially in a competitive relationship.
In this regard, banteg, a well-known developer in the Ethereum ecosystem, commented: When you fork a project, remember to share some tokens with the original project. By doing so, they may remember you and even be willing to establish a bilateral information disclosure agreement with you.”
However, the current situation is that after the era of wild growth of DeFi, except for a few projects such as Spark Protocol that can drink water and think about the source, most fork projects tend to ignore the achievements of the original project when they reproduce the original project. Contributions will not share any tokens with the original project at all.
This has also put many forked projects into a rather embarrassing situation in this Aave incident - they once prostituted Aave to make profits, and now how can they ask Aave to share information.
Shortly after the incident, Marc Zeller, head of strategy at Aave, posted onOr it is implying that many forked projects are actively contacting Aave, hoping to confirm whether their projects will be affected.
Combined with Aaves disclosure, this vulnerability will have a certain impact on both the V2 and V3 version markets. According to statistics from Defi Llama,There are currently 5 projects that have forked from Aave V3, and 31 projects that have forked from Aave V2., the specific list is as follows.
The five projects that forked from Aave V3 are:
The 31 projects forked from Aave V2 are:
It should be noted that the above is only an overall statistics of all projects forked from Aave.Since this vulnerability only involves some of Aaves contracts, the above-mentioned projects may not necessarily be affected by this vulnerability.
What is currently certain is that,A few projects with larger scale and stronger operational capabilities have contacted Aave or white hat hackers to rule out the possibility of being affected.
For example, Spark Protocol (which ranks first in TVL among forked projects, with approximately US$850 million), which has stated before its launch that it will share part of the protocol revenue with Aave, has announced on X that all contracts will not be affected, and users do not need to worry.
In addition, Radiant Capital, a lending agreement that focuses on the cross-chain concept (TVL ranks second among the fork projects, with approximately US$341 million), has also announced: It has been confirmed with a number of white hat hackers that Radiants lending pool will not be affected.
In addition, UwU Lend (ranked third in TVL among forked projects, approximately $26 million) has also announced that this vulnerability only involves some functions that are not enabled by the project, so it will not suffer any impact.
However, leaving aside the above-mentioned large-scale projects where TVL accounts for far more than 90% of forked projects, for other smaller-scale projects, it is not so easy to confirm the security status of the protocol.
due to safety concerns,Odaily recommends that users who are using the more than 30 forked projects mentioned above carefully check whether the project has disclosed its security status. If there is still no disclosure for the time being, it is strongly recommended to withdraw funds to ensure safety.