Back/aave-v3-ethereum
>

Aave V3 — Sherlock contest #287 synthesis

[PUBLISHED]
sherlock · aave-v3-ethereum
// sherlockprotocol: aave-v3-ethereumpublished: Apr 12, 2026source →

Sherlock contest #287 closed on 2026-04-12 with three confirmed high-or-above severity findings affecting Aave V3 on Ethereum. The critical finding affects weETH loops with health factor between 1.0 and 1.05; positions with HF > 1.1 are not exposed. Two high-severity findings touch rsETH oracle staleness and the GHO mintability cap path. Curators should monitor weETH and rsETH parameters until the patch in PR #1284 deploys.

// findings · 5
  • [CRITICAL]

    weETH collateral can be liquidated against stale LST exchange-rate data when the Chainlink heartbeat lags behind ether.fi rate updates. Affected positions are loops with HF between 1.0 and 1.05.

    weETH oracle adapterPoolConfiguratorLiquidationLogic
    A critical-severity finding affects positions using weETH as collateral when the LST exchange rate updates faster than the Chainlink heartbeat.
    ref: finding-1 (lines 124-189)
    affects:weETH-supplyleveraged-loop
  • [HIGH]

    rsETH exchange-rate oracle has a 4-7 minute staleness window during high-volatility periods. Positions may be liquidated against outdated collateral pricing.

    rsETH oracle adapterprice feed registry
    rsETH exchange-rate oracle staleness can extend beyond the Aave heartbeat, creating a 4-7 minute window where liquidations may be priced against stale collateral.
    ref: finding-2 (lines 245-301)
    affects:rsETH-supplyrestaking
  • [HIGH]

    GHO mintability check in AIP-380 path does not enforce facilitator cap atomically with mint, allowing facilitator overflow within a single block.

    GHOFacilitatorPoolConfigurator
    The facilitator cap check happens before mint in a non-atomic sequence — within a single block, a flash-loan or multi-call could exceed the cap.
    ref: finding-3 (lines 412-478)
    affects:GHO-mint
  • [MEDIUM]

    Repay-with-aToken function uses a slightly outdated balance snapshot, potentially under-repaying debt by 0.01-0.05% on volatile rate periods.

    Pool.repayWithATokensreserve cache
    Balance snapshot lags by one block in the repay path.
    ref: finding-4 (lines 534-578)
    affects:repay
  • [LOW]

    Event emission order in the borrowable-asset configuration update can confuse downstream indexers that expect strict chronological ordering.

    PoolConfigurator events
    Events emit in setter-call order, not configuration-effect order.
    ref: finding-5 (lines 612-634)
// why this might be wrong
  • This brief was generated by a multi-pass LLM editorial pipeline. Findings reflect public source material at the time of synthesis.
  • Confirm against the original audit firm source before acting on any individual finding.
  • Severity classification has been normalized across firms — the source firm uses its own scale.