Aave Set to Disable Borrowing on xSushi and DPI Citing Potential Exploit

Aave token holders are voting to patch a vulnerability to DeFi’s biggest protocol by assets locked.

The vulnerability was raised earlier this week by Aave community members and involved using xSUSHI as collateral, according to a tweet by Aave, which hasn’t disclosed further details.

Gauntlet, which bills itself as a “financial modeling and simulation platform for the blockchain,” has submitted an improvement proposal to patch the vulnerability.

If the proposal, called Aave Improvement Proposal (AIP) 44, passes borrowing for xSUSHI, a fee-earning version of decentralized exchange Sushiswap’s SUSHI token, as well as DeFi Pulse Index (DPI), an index some of the biggest tokens of open finance protocols, will be disabled.

AIP 44 would also disable deposits, borrows and rate swaps for Uniswap and Balancer liquidity provider (LP) tokens. Aave called this step “an extra safeguard” in a Twitter thread.

With over 575,000 votes for the proposal and only 1 against, AIP 44 is very likely to pass. Voting doesn’t close until Oct. 31.

The vulnerability is not currently viable, according to a response by Marc Zeller, integration lead at Aave, in the protocol’s Discord. Though, according to a tweet by Yearn Finance developer Banteg, the vulnerability was exploitable for 160 days in the past when the composition of Aave’s deposited assets was different.

TVL Down, Rates Up

Aave’s total value locked is down over 20%, or almost $4B, to $15B as of Oct. 29, according to DeFiLlama.

Justin Sun, the billionaire founder of Tron, withdrew over $4.2B from Aave in the past day, according to a tweet by Steven Zheng, a researcher at The Block.

Rates have pumped due to the withdrawn assets, as Aave’s interest rate model raises interest rates when capital is scarce in order to encourage loan repayments and additional deposits. USDC is yielding over 301% and USDT is offering almost 12%. They were higher earlier in the day with USDC at 43% and USDT at 77%, according to a tweet by Tyler Reynolds, an active DeFi participant and crypto advisor.