The AAVE Bug Bounty Program is Broken

0 replies, 1557 views, 1 likes



The AAVE protocol suffered a $1.5m loss due to a security vulnerability reported by Digi7287, which was not acted upon by the security team. This incident sparked a debate about the effectiveness of bug bounty programs and the importance of prompt action on reported vulnerabilities.

The discussion primarily revolves around a security vulnerability in the AAVE protocol that was reported by Digi7287 a week prior to a CRV attack. Despite the detailed report, which included the specific wallet executing the attack and immediate actions to protect the protocol, the security team did not act on the information. This inaction led to a loss of $1.5m, although the potential risk was estimated to be between $20-$40m.

The AAVE team's refusal to pay a bug bounty to Digi7287 sparked a debate. The team argued that the issue was a "liquidity risk" rather than an exploit, a stance that Digi7287 contends undermines the purpose of bug bounty programs. These programs are designed to incentivize early reporting of vulnerabilities to protect the protocol. Digi7287 suggests that the current approach may encourage exploitation of system failures rather than their reporting1.

In conclusion, the discussion highlights the importance of recognizing and rewarding the efforts of those who identify and report vulnerabilities. It also underscores the potential consequences of not acting on such reports promptly. The AAVE team's handling of the situation has raised questions about the effectiveness of bug bounty programs and their role in ensuring the security of protocols.

Posted a year ago

Last reply a year ago

Summary updated 2 months ago

Last updated 04/12 00:18