A bug in legacy crypto lending protocol Aave prevents users from interacting with Wrapped Ether (WETH), Tether, Wrapped Bitcoin (WBTC) or Wrapped Matic (WMATIC) pools on Aave v2 Polygon, preventing assets from being withdrawn, according to a May 19 proposal to fix the vulnerability with a patch. Users are currently unable to "provide more of these assets, borrow, repay, or withdraw," the proposal says.
While withdrawals are not currently possible, the team says funds are "very safe" as the bug can be fixed following a governance vote. This bug only affects Aave v2 on Polygon. Aave v3 - the latest version - is unaffected, as is v2 deployed to ethereum or Avalanche. The Broken Code Appeared Due to the May 16 Rate Curve Patch Applied to All deployments of v2. V2's Polygon Implementation Uses A Slight Tly Different List of Function Definitions (Called the "Interface") for its Internet Rate Strategy Contracts than the Ethereum and Avalanche implementations. But the rate curve changes didn't take this difference into account, causing the bug to only develop in Polygon deployments.
The new proposal would require Aave's governing body, the Aave DAO, to approve code changes only to the Polygon version to fix the patch. Voting is set to begin on May 20 and will run through May 23, the proposal said. Aave is known for its flash loan feature, which allows users to borrow cryptocurrency, make a trade, and repay the loan all within the same block, without collateral. It started on Ethereum but has expanded to other networks over the past few years. On April 17, Aave governance voted to deploy the protocol on zkSync Era, a Layer 2 Ethereum scaling protocol using zero-knowledge proof technology. On May 8th, Aave v3 was deployed to the Metis network, which is also an Ethereum layer 2.
