The Aave V3 strategy implementations on Optimism and Arbitrum fail to claim liquidity mining incentive rewards (OP and ARB tokens), resulting in permanent loss of a significant portion of yield. While the strategies correctly capture the base supply APY that automatically accrues to aToken balances, they completely ignore the additional reward tokens distributed through Aave V3's separate RewardsController contract.
Vulnerability Details
Root Cause
Aave V3 provides two distinct types of yield to suppliers:
Base supply APY (~1-3%) - automatically compounds into aToken.balanceOf() Correctly captured
Liquidity mining incentives (~2-5%+ during active programs) - requires manual claiming via RewardsController.claimAllRewards() Never claimed
The strategies only implement logic for type (1), reading aToken.balanceOf() in their realAssets() function. They have no integration with the RewardsController contract - no interface definition, no claiming logic, and no reward rate computation. As a result, all OP/ARB tokens earned by the strategies accumulate in the RewardsController but remain permanently unclaimed and inaccessible.
This is particularly problematic because the protocol's own TokeAutoEth strategy correctly implements external reward claiming for Tokemak's similar reward distributor system, proving this pattern is understood and used elsewhere in the codebase. The omission in Aave strategies appears to be an oversight during implementation.
Key evidence from Aave V3 periphery contracts:
The strategies have zero references to IRewardsController or any reward claiming logic, despite deploying on chains where Aave V3 actively distributes incentive tokens.
Comparison with TokeAutoEth Strategy
The codebase's own TokeAutoEth strategy correctly implements the same pattern for Tokemak's reward distributor:
This proves the protocol understands and implements external reward claiming for other strategies, making the omission in Aave strategies a clear oversight rather than intentional design.
Impact Details
Permanent loss of liquidity mining yield:
All OP/ARB tokens earned by the strategies accumulate in the Aave RewardsController contract
These rewards are attributed to the strategy address but never claimed
Users receive only base supply APY (~1-3%), missing the additional liquidity mining APY (varies, historically 2-5%+ on Optimism/Arbitrum during incentive programs)
The unclaimed rewards become permanently inaccessible once the strategy is upgraded or positions rebalanced
// From aave-v3-periphery/contracts/rewards/interfaces/IRewardsController.sol
interface IRewardsController {
/**
* @dev Claims all rewards for a user to the desired address
* @param assets The list of assets to check eligible distributions before claiming rewards
* @param to The address that will be receiving the rewards
* @return rewardsList List of addresses of the reward tokens
* @return claimedAmounts List that contains the claimed amount per reward
**/
function claimAllRewards(
address[] calldata assets,
address to
) external returns (address[] memory rewardsList, uint256[] memory claimedAmounts);
}
