Aave

Aave is a decentralized non-custodial liquidity protocol where users can participate as suppliers or borrowers in a common pool. Suppliers provide liquidity to earn a passive income, while borrowers are able to borrow in an overcollateralized (perpetually) or undercollateralized (one-block liquidity) fashion.

For more information about Aave, please visit https://aave.com/.

Aave provides rewards in a mix of AAVE and stablecoins. For more details about the payment process, please view the Rewards by Threat Level section further below.

Aave is represented by its service providers BGD Labs (Aave v2/v3/SM/Governance) and Aave Labs (GHO). BGD and Aave Labs as appointed representatives of the DAO exclusively in this context, based on a successful Aave governance proposal.

KYC Requirement

The provision of KYC may be required for a reward for this bug bounty program at the discretion of the DAO representative or representatives. If KYC is requested, the following information will be required to be done:

• Live video call where the following may be asked:
• Government-issued ID

KYC will not be required for bug reports classified with a severity level as Medium or Low.

Responsible Publication

Aave adheres to category 3. This Policy determines what information whitehats are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our Responsible Publication page.

Primacy of Impact vs Primacy of Rules

Aave adheres to the Primacy of Impact for the following impacts:

• Smart Contract – Critical – Major manipulation of governance voting result deviating from voted outcome, whenever protection mechanisms (e.g. cancellation of proposal) can’t mitigate the damage.
• Smart Contract – Critical – Direct theft of any user funds classified as the principal, whether at-rest or in-motion, if more than 100 USD value and representing minimum 1% of the user’s position.
• Smart Contract – Critical – Permanent locking of user funds classified as the principal, whenever no rescue of any type can be performed.

If an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. Only sub-systems of Aave explicitly mentioned in the section “Other Terms and Information” are considered as owned by the project, anything outside that is not eligible for any bounty. When submitting a report, just select the Primacy of Impact asset placeholder. If the impact affects something in any of the related GitHub repositories, select the placeholder containing the link to the specific repository instead.

If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.

Testnet and mock files, as well as non-active features, defined as features that 1) are not introduced in production and 2) are not able to be used due to configurations of the protocol, are not covered under the Primacy of Impact.

All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.

Known Issue Assurance

Aave commits to providing Known Issue Assurance to bug submissions through their program. This means that Aave will either disclose known issues publicly, privately via a self-reported bug submission or to the Immunefi team, in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms.

For privacy and security reasons, self-reported bug submissions will only have a hash as its contents. In the event that proof is needed to demonstrate that the issue is known, the respective file will be sent for evaluation to check if the hashes match with the earlier self-reported entry.

Immunefi Standard Badge

Aave has satisfied the requirements for the Immunefi Standard Badge, which is given to projects that adhere to our best practices.

Governance-Run Program

This bug bounty program is governed by a governance proposal. To view the governance proposal poll, visit https://app.aave.com/governance/proposal/?proposalId=325 .