Type: #proxy
Project: AAVE
Date: 19/05/23
Blockchain: Polygon
Problem: Update was done on address with incorrect interface.
Sometimes it's critical to write proper integration tests, even in case you are sure that the update will be executed as planned, DAO will check all the info and e.t.c. The attack also could be prevented if AAVE devs used ERC-165 checker and the proposed transaction would revert.
The root of the problem is that, for legacy reasons, the v2 version used on Aave v2 Polygon (and Avalanche) is slightly different from Aave v2 Ethereum. So, contracts in Avalanche and Polygon differs from the contract in Ethereum blockchains. You can see difference on the pictures:
* the first pic is the new calculateInterestRates function.
* the second one is calculateInterestRates on the current AAVE V2 implementation.
Devs updated contract in Ethereum, covered the update with tests, and after that they submitted the same code to the Polygon blockchain, but interfaces are different and all deposits and withdrawals from Polygon blockchain were stopped.
Taking into consideration, that Polygon EVM has slight differences with EVM, the update could lead to much more problems
The DAO:
1) Updates contract in Ethereum.
2) Passes the same code in new proposal to Polygon chain.
3) Updates Polygon chain without integration tests, all funds are stuck.
Discoverer: NaN. was rekt
Harm: 120 M $ STUCK
link
Project: AAVE
Date: 19/05/23
Blockchain: Polygon
Problem: Update was done on address with incorrect interface.
Sometimes it's critical to write proper integration tests, even in case you are sure that the update will be executed as planned, DAO will check all the info and e.t.c. The attack also could be prevented if AAVE devs used ERC-165 checker and the proposed transaction would revert.
The root of the problem is that, for legacy reasons, the v2 version used on Aave v2 Polygon (and Avalanche) is slightly different from Aave v2 Ethereum. So, contracts in Avalanche and Polygon differs from the contract in Ethereum blockchains. You can see difference on the pictures:
* the first pic is the new calculateInterestRates function.
* the second one is calculateInterestRates on the current AAVE V2 implementation.
Devs updated contract in Ethereum, covered the update with tests, and after that they submitted the same code to the Polygon blockchain, but interfaces are different and all deposits and withdrawals from Polygon blockchain were stopped.
Taking into consideration, that Polygon EVM has slight differences with EVM, the update could lead to much more problems
The DAO:
1) Updates contract in Ethereum.
2) Passes the same code in new proposal to Polygon chain.
3) Updates Polygon chain without integration tests, all funds are stuck.
Discoverer: NaN. was rekt
Harm: 120 M $ STUCK
link