Back/aave-v3-ethereum
>

Aave V3 — Cantina post-deploy contest

[PUBLISHED]
cantina · aave-v3-ethereum
// cantinaprotocol: aave-v3-ethereumpublished: May 8, 2026source →

Cantina's post-deploy contest closed on 2026-05-08 with one high-severity flash-loan fee finding. The under-charging is small per-operation but accrues to MEV-search bots that loop multi-asset flash loans; protocol revenue is the primary impact, not user positions.

// findings · 2
  • [HIGH]

    Multi-asset flash-loan fee aggregation skips fee accrual on the second asset, under-charging by ~0.05% per multi-asset loan.

    Pool.flashLoanFlashLoanLogic.executeFlashLoan
    Flash-loan fee calculation under-charges on multi-asset loans by skipping fee aggregation in the second asset.
    ref: finding F-01
    affects:flash-loan
  • [MEDIUM]

    Borrow-cap event emits before cap update; downstream indexers that race on the event observe the pre-update value.

    PoolConfigurator.setBorrowCap
    Event order is not enforced relative to the storage update.
    ref: finding M-02
// why this might be wrong
  • This brief was generated by a multi-pass LLM editorial pipeline. Findings reflect public source material at the time of synthesis.
  • Confirm against the original audit firm source before acting on any individual finding.
  • Severity classification has been normalized across firms — the source firm uses its own scale.