Vulnerability Disclosure: Aave Yield Source

On June 24 a security researcher, Kyle Yerman (@Meriadoc on Discord), privately disclosed a vulnerability in the Aave Yield Source contract.

The PT Inc protocol team has spent the last few days analyzing the issue and found that the existing prize pools are safe. The exploit only affects new deployments, as it requires certain conditions to be met immediately after the Yield Source contract is created.

The protocol team has a fix in progress, so future deployments will not be subject to this exploit.

This exploit requires certain conditions to be met, and once detected the protocol could deploy a new yield source contract. However, the protocol does not have any monitoring in place for risks such as these. We would not have detected an exploit if it occurred, so it is a high-risk exploit for us.

The security researcher is entitled to a $25,000 USD payout as per our security bounties. I will be applying for the bounty payout through the grants program on behalf of the researcher.