UMBRELLA is a new version of the AAVE safety module that helps to solve bad debt management within the AAVE protocol.
BGD conducted a security review of the AAVE protocol with a total time donation of 19 engineering days between February 10 and February 26, 2025 to participate in Ackee Blockchain Security.
methodology
We started reviewing using the contained static analysis tools. Wake up. This is i2 find. Then I dive about the logic of the contract. We used for testing and purging Wake up Test framework. We have implemented additional unit tests to help analyze stock inflation potential.M1) And arithmetic errors (L1). We also implemented an additional fuzz test set, but there was no entire fujing campaign in the range of this report. The puz test found potential integration issues related to price oracle availability (L2). During the review, we paid special attention later.
- Inflation and standard compliance inspection for analyzing ERC-4626;
- So that you cannot abuse the slashing mechanism;
- Confirmation of accuracy of compensation deployment;
- The arithmetic guarantee of the system was correct.
- In the code, it detects reintroduction and unprotected calls.
- Access control is not too comfortable or too strict. and
- We are looking for common problems such as data verification.
range
The first audit was performed for the commit. a2ad2ff And the range umbrella ,,, stakeToken and rewards Folder.
COMMIT has been reviewed de990C5.
The third review was performed at the commit 5b987d2 There is a final change before the release. The problem was not confirmed during this review.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. warning or Information provision Severe rating.
Our review results have emerged 9 DiscoveryFrom providing information to intermediate seriousness. The most serious discovery is M1We have confirmed the stock inflation problem. The slash mechanism allows the stock to grow rapidly and rely greatly on the right function of the system. StakeToken Vaults, which receives the entire slash due to a deficit or a swimming pool defect, can enter the service refusal. Because of the granting characteristics of slash and deposits, attackers can enter the state in a single transaction. The attack cost is determined by the default token (it can be as low as a few cents).
For more information on the customer’s recognition, see the survey results in the entire audit report.
Threshold
There was no important serious problem.
The severity is high
There is no high severe serious problem.
Intermediate
M1: possible stock inflation
Low severity
L1: Frequently insisted on rewards can cause losses.
L2: latestAnswer After removing the configuration, the function is reversed
Significance of warning
W1: Insonquid use _msgSender() ~ Above msg.sender
W2: missing validation of the upper limit validateTargetLiquidity
Information seriousness
i1: Ota
I2: Instructions that are not used
i3: License error processing
i4: The same suffix is used for names and symbols.
Trust model
The authority in the system is carefully designed to limit the potential impact of a single component, but the user DEFAULT_ADMIN_ROLE To correctly configure the system and act honestly (AAVE governance must be given).
conclusion
AcKee Blockchain Security recommends BGD.
- Set off chain monitoring for the following purposes M1 find; and
- Solve all other reports.
You can find the entire AAVE umbrella audit report of AcKee Blockchain Security. here.
We were happy to be thankful for AAVE and expect to work with them again.