Aave V3

Findings · 15

1. 1 Solidity compiler optimizations can be problematic Informational
2. 2 Lack of chainID validation allows attackers to reuse signatures across forks High
3. 3 Risks associated with EIP-2612 Informational
4. 4 Insufficient Repay event parameters Informational
5. 5 Base class functions that are used only in a single derived class could cause confusion Informational
6. 6 Use of the constructor rather than the initialize function prevents the incentives controller from being updated after deployment Low
7. 7 Incorrect eMode category fetched by borrow High
8. 8 Missing validation when setting eMode categories Low
9. 9 Missing/incorrect isolation mode checks circumvent collateral isolation mode High
10. 10 Isolation mode bypassed when liquidating and receiving aTokens High
11. 11 Isolation mode total debt does not decrease on liquidation, potentially blocking new loans using the isolated asset High
12. 12 Unclear behavior when calculating interest rates Informational
13. 13 Use of deprecated Chainlink interface and function Informational
14. 14 Lack of contract existence check on delegatecall Informational
15. 15 Variable debt token incorrectly tracks debtor’s previous index Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.