Aave

Aave – Decentralized Non-Custodial Liquidity Protocol

Aave is a decentralized protocol that allows users to participate in liquidity provision (as suppliers) or borrowing (as borrowers). The platform operates through a system of common liquidity pools where suppliers deposit their assets to earn passive income, while borrowers can access loans either in an overcollateralized or undercollateralized manner.

Key Features of Aave:

• Liquidity Provision:
  • Suppliers deposit their assets (such as stablecoins or tokens) into liquidity pools, earning interest on their deposits. This allows them to passively earn rewards for providing liquidity to borrowers.
• Borrowing:
  • Borrowers can access liquidity in two forms:
    • Overcollateralized Loans: Where the borrower must deposit more collateral than the loan value.
    • Undercollateralized Loans (One-Block Liquidity): Instant loans that require minimal collateral, generally executed within a single transaction block.
• Rewards:
  • Aave rewards its liquidity providers in a mix of AAVE tokens and stablecoins. The exact rewards vary depending on the type of participation and the risk level involved in the protocol.
• Governance:
  • Aave is governed by its DAO (Decentralized Autonomous Organization), with proposals and decisions made by the community through governance processes.

Aave’s Bug Bounty Program (Security):

Aave has a bug bounty program aimed at incentivizing responsible disclosure of security vulnerabilities. This program is governed by a set of rules designed to ensure a fair process for identifying critical vulnerabilities.

1. KYC Requirement:
   • If you wish to participate in the bug bounty program and earn rewards, KYC may be required for high-severity reports. However, for medium or low severity issues, KYC is not necessary.
   • KYC involves a live video call and may require a government-issued ID for identity verification.
2. Responsible Publication:
   • Aave follows Category 3 Responsible Publication guidelines, which govern how information about vulnerabilities can be made public.
   • This policy ensures that bug disclosures are handled responsibly to mitigate any risks.
3. Impact Categories:
   • Primacy of Impact: If a vulnerability could result in the manipulation of governance outcomes, direct theft of user funds, or the permanent locking of user funds, it will be treated with critical priority.
   • Primacy of Rules: Other impacts not covered under “Primacy of Impact” will be considered based on the program’s general terms and rules.
4. Known Issue Assurance:
   • Aave commits to Known Issue Assurance, meaning they will disclose known issues either publicly or privately to streamline the mediation process and ensure that valid bugs are compensated appropriately.
5. Immunefi Standard Badge:
   • Aave has met the best practices required to earn the Immunefi Standard Badge, a recognition for projects that follow the highest standards for bug bounty and security practices.

Rewards Process:

• Mix of AAVE Tokens and Stablecoins:
  • Rewards for bug reports are typically paid in AAVE tokens and stablecoins, depending on the severity of the bug report. The rewards are governed by the DAO through the Aave governance proposal process.
• Bug Classification and Payment:
  • The severity of the bug determines the reward. Critical bugs can receive a larger payout, while medium or low severity bugs may earn smaller rewards.

How to Participate in Aave’s Bug Bounty Program:

1. Report Bugs:
   • If you discover a security vulnerability or bug, you can submit a report through the Immunefi platform. Be sure to follow the guidelines for responsible disclosure.
2. KYC (for High-Severity Reports):
   • If the bug you report is classified as high severity, KYC verification may be required before you receive the bounty.
3. Governance Proposal:
   • The rewards and procedures are governed by Aave DAO’s governance proposal. The current proposal governing the bounty program can be found here.
4. Bug Classification:
   • When submitting a bug, make sure to select the correct classification (e.g., smart contract vulnerabilities, governance manipulation) based on the Primacy of Impact or Primacy of Rules.

Other Terms and Information:

• Testnet and Mock Files:
  • Bugs related to testnet environments, mock files, or non-active features are not covered under the bounty program.
• External Projects:
  • Other Aave-related projects (outside of the core protocol) may have their own bug bounty programs. Check the respective project’s bounty program for specific details.

Final Notes:

Aave is dedicated to maintaining a secure and decentralized ecosystem. Through its bug bounty program, Aave encourages the community to help identify and resolve vulnerabilities, ensuring that the protocol remains secure and trustworthy for all users. The program rewards responsible disclosures, with substantial incentives provided for identifying critical security issues.

For more details about Aave’s platform, bug bounty, and governance, please visit their official website Aave.com or follow their governance proposals for updates.