Aave Labs is planning to run a community fire drill in the first week of December 2024 to test and assess the operational resilience of the ecosystem. Unlike the previous year’s SEAL Attack Simulation, this drill will not test the engineering team’s ability to diagnose an onchain attack. Instead, the goal is to learn more about the workflows, coordination methods, and information exchange during an incident. It has been a year since these controls were last validated, highlighting the importance of periodic testing to ensure the ecosystem’s readiness and ability to respond effectively.
The community’s involvement is key to this initiative. Aave Labs welcomes interested parties to participate in the fire drill. Please, reach out directly for participation details.
9 Likes
Some feedback from our side:
-
On the organigram of the Aave DAO with multiple Service Providers contributing in multiple areas (sometimes overlapping) it is quite important to always try to respect each field of contribution.
Sounds very unreasonable that 1) Aave Labs is organizing this, given that it is not its role, engagement scope, or expertise, 2) we (BGD Labs) were not aware of the initiative until it reached the forum, given that precisely this is part of our engagement for services, and even more obvious, we planned, organized and coordinated the aforementioned SEAL Attack Simulation.
For clarity for the community, this would be akin for us BGD to post a proposal to change the risk simulation infrastructure of risk providers, without even commenting in advance on the idea with @ChaosLabs. Or now during the development of Aave v4, present in the forum an alternative v4 development flow, without first telling to @AaveLabs.
-
Security on a DAO like Aave is something that requires central coordination and planning, especially important in a decentralised system like this, where multiple parties (Service Providers, community Guardians, etc) are involved. We don’t think it is appropriate to just ask in a public forum “who wants to participate” and go from there.
Unlike the previous year’s SEAL Attack Simulation, this drill will not test the engineering team’s ability to diagnose an onchain attack. Instead, the goal is to learn more about the workflows, coordination methods, and information exchange during an incident
- This is not really how last year’s attack simulation worked, as detection was only the initial step, followed by precisely the other described ones: protective actions on the protocol on the simulation environment, mobilisation of the Aave Guardian, or public communications. We are a bit confused regarding that, given that Aave Labs was a participant on the SEAL exercise, partially precisely on activating the communication channels they have control on, like @aave on X.
Even security initiatives are positive for the DAO and we would prefer to not sound negative about them, it is very unoptimal to try to organize them this way, totally ignoring all types of guidelines and professional respect. This should be especially a consideration point for Aave Labs, given that there is responsibility associated with carrying the same name as the Aave DAO, that can create confusion in the community.
Consequently, we don’t think this should proceed forward, and we will not participate.
7 Likes
Thank you for your feedback. We want to emphasize that it was never our intention to undermine other service providers or initiatives within the community. We recognize and respect the diversity of opinions regarding how different initiatives can or should be initiated.
From our perspective, security should be seen as a broad and collective responsibility, one that goes beyond the focus on the protocol. Achieving the highest standards of security involves multiple initiatives, each contributing to the overall safety of the ecosystem. As a decentralized ecosystem, the community should aim to foster open invitations to diverse initiatives. In October, we extended an invitation to BGD Labs to orchestrate another full-scale exercise. While we understand BGD’s reluctance due to the scale of such an engagement due to other workload, we felt it was appropriate to initiate a test to the wider community independently to validate workflows and processes that are responsible for mobilising internal teams and conducting internal orientation and analysis. Conducting such tests at least once a year is a valuable practice to ensure ongoing improvement and readiness.
Which is why this exercise is about the “workflows, coordination methods, and information exchange during an incident” and given the wide array of service providers, we welcome any interested parties to participate, if they want to validate their systems.
To summarize, even though BGD Labs has been, with much success, the first line of defense against security concerns, Aave Labs has always been directly or indirectly involved in such scenarios and happily supported BGD and the DAO through them. Aave Labs has internal procedures that trigger in such cases, which are the subject of the aforementioned drill. As these procedures inevitably involve other DAO members, including BGD, the natural conclusion was to post on the forum for anyone who wanted to participate.
To reiterate, this is not about protocol security and not something that we would attempt to validate in a vacuum.
2 Likes
Always supportive of more strength testing
Supportive of BGD continuing to coordinate these
Supportive of AaveLabs to stay focused on V4 deliverables and aim to exceed expectations there