Aave - Blec Report

I suggest avoiding Aave until its total reliance on Chainlink’s 4-of-9 multisig is resolved.
Chris Blec

In its docs, Aave refers to itself as “a decentralized non-custodial liquidity protocol.”

However, this does not tell the whole story.

While Aave is, to a certain extent, governed by AAVE tokenholders, Aave’s development is largely controlled and gatekept by a small core team. That core team has made a very worrying decision about the way that Aave obtains its price data.

Aave obtains all of its price data from Chainlink. This is not at all uncommon in the DeFi space. Many DeFi applications rely on Chainlink price data.

Aave’s docs clearly state that it no longer uses fallback oracles and puts all of its faith in Chainlink price feeds.

However, Aave does not double-check the data from Chainlink in any way. There is no delay on the acceptance of the data. The data comes from Chainlink and is immediately injected into the Aave protocol.

Aave is, therefore, 100% reliant on the accuracy and integrity of price data from Chainlink for its existence.

This is a deliberate design decision by Aave’s core team. Competing protocols like Compound double-check Chainlink price data against other sources, like Uniswap, before injecting into the protocol. Aave has chosen not to do this.

In this tweet, there is a Twitter Space clip of an Aave core team member clearly stating this.

🚨 Every @AaveAave user needs to understand that all Aave pools rely entirely on Chainlink's 4-of-9 multisig for survival.@The3D_ acknowledged this on yesterday's Twitter Space while also claiming that @compoundfinance was susceptible to a Uniswap price manipulation attack. pic.twitter.com/ALz34gtRKW
— Chris Blec (@ChrisBlec) May 27, 2022

This is highly concerning for multiple reasons, the most severe of which being that Chainlink, itself, is entirely controlled by a 4-of-9 multisig contract (formerly a 3-of-20 multisig).

Chainlink has not revealed who holds keys to this multisig. All 9 keys could be in the hands of 1 person, or each key could be in the hands of hundreds of people. It’s unprovable either way.

If the multisig were to be compromised, then the price feeds could become corrupted, and every asset on Aave could end up being liquidated or stolen.

A DeFi application is only as resilient as its weakest part. For this reason, you should avoid using Aave until it removes this vulnerability.

Here is a clip of me speaking about Chainlink risks to Coindesk:

Want more? Here is an extended video recorded in June 2022 where I went into greater detail on this issue: