Bug in Aave V2 Polygon causes some assets to become stuck in contracts
A bug in an older version of crypto lending protocol Aave is blocking users from interacting with Wrapped Ether (WETH), Tether (USDT), Wrapped Bitcoin (WBTC) or Wrapped Matic (WMATIC) pools on Aave V2 Polygon, preventing assets from being withdrawn from them, according to a May 19 proposal that attempts to fix the bug through a patch. The proposal says that users are currently unable to “supply more of those assets, borrow, repay, or withdraw.”
Although withdrawals are currently impossible, the team stated that funds are “perfectly safe,” as the bug can be fixed after a governance vote.
.@AaveAave the latest upgrade of ReserveInterestRateStrategy in Aave V2 (Polygon) has caused a temporary halt of the protocol, impacting assets worth ~$110M!The root cause is the new ReserveInterestRateStrategy is only compatible with Ethereum, not compatible with Polygon. https://t.co/kg5696QNPo pic.twitter.com/Ze3zSBS8Ck
— BlockSec (@BlockSecTeam) May 19, 2023
The bug only affects Aave V2 on Polygon. AaveV3, which is the most recent version, remains unaffected, as does V2 deployments to Ethereum or Avalanche.
The broken code arose because of a May 16 interest rate curve patch applied to all deployments of V2. The Polygon implementation of V2 uses a slightly different list of function definitions (called an “interface”) for its rate strategy contracts when compared with the Ethereum and Avalanche implementations. But the interest rate curve changes did not take into account this difference, causing the bug to develop only in the Polygon deployment.
The new proposal asks Aave’s governing body, Aave DAO, to approve code changes to only the Polygon version to fix the patch. Voting is scheduled to begin on May 20, and will continue until May 23, the proposal stated.
Related: Aave DAO votes for ‘rescue plan’ to save lost tokens
Aave is most well known for its flash loan feature that allows users to borrow crypto, make trades, and pay back the loans within the same block without requiring collateral. It began on Ethereum, but has been expanding into other networks over the past few years. On April 17, Aave governance voted to deploy the protocol on zkSync Era, a layer 2 of Ethereum that uses zero-knowledge proof technology. On May 8, Aave V3 deployed to the Metis network, which is also a layer 2 of Ethereum.