[ARFC] Aave <> Certora Continuous Security Services

Title: [ARFC] Continuous Security Proposal Aave <> Certora

Author: Certora

Date: 2024-20-09

Summary

With 2.5 years of continuous collaboration and contribution to Aave’s ecosystem behind us, we’re as excited about the protocol’s future as we were on day one!

We offer an extension of our engagement with the DAO for a total period of 12 months. The scope of our offering is divided into 2 parts for transparency on pricing and operational commitment:

  1. Extending the existing services for Aave V3, which include:

  2. A full-time dedicated team available to consult, research, and review maintenance work, and new developments.

  3. Full ownership over governance proposal reviews - reviewing every governance proposal initiated on-chain.

  4. 24/7 availability for incident response, supporting the technical providers in the investigation and mitigation of emerging bugs.

Note that the scope includes all existing V3 instances and all future EVM-based V3 instances.

The price for the above scope is $1.7M. ⅔ of the price, $1.15M, will be made in Gho and ⅓, $0.55M, in AAVE.

  1. Safeguarding transactions against unknown attacks

  2. We will develop Safeguard, a modified Ethereum client based on geth client for real-time monitoring and invariant checking for Aave V3.

  3. We will write and monitor the invariants in real time to add another layer of security to the protocol and collaborate with the relevant entities to investigate and mitigate any suspicious transactions.

Note that Safeguard is a complementary security service we provide free of charge for all existing AAVE V3 instances and all future EVM-based V3 instances.

Price Explanation

Last year, we reduced our prices from $2.7M to $1.5M to reflect the bear market. This year, we suggest a small increase to cover the rise in our costs.

Our regular annual price for professional services is $2.7M. We decided to reduce the price by 37% to $1.7M, to reflect our commitment to Aave’s security.

As in previous years, we request a ⅔-⅓ price breakdown of stablecoin and AAVE, respectively. As service providers and DAO members, we are strong believers in the alignment of long-term players with the protocol. Over the years, not a single AAVE token we received was sold, and the governance power was put to work through delegation to both ACI and StableLabs, which we track closely.

Background and Motivation

In March 2022, we presented a proposal to serve as a DAO security provider, collaborating with the other technical contributors to help Aave deploy the finest and most secure product on the market. In the next six months, we collaborated with both BGD Labs and Aave Labs on several high-profile projects, including the AAVE token V3, governance cross-chain bridge, and Gho token.

Since then, we have continuously served the DAO as a security provider, assisting with dozens of new feature deployments and protocol improvement upgrades (Sept 2022 - Sept 2023, Sept 2023 - Sept 24), preventing several critical bugs from going live and assisting with mitigation of live bugs upon emergence.

In addition to conducting security reviews and formal verification, we also:

  1. Conducted several focused research and investigation efforts of components and features within the ecosystem, reporting to the developing entities about the results and recommending actions to be taken.

  2. Led 6 community efforts to review and formally verify new and existing Aave code. This included extensive education of the independent researchers community on the protocol and ecosystem as a whole.

  3. Took full ownership of on-chain governance proposal reviews, reviewing so far 153 proposals, finding 4 bugs since February.

  4. We’re also continuously working with BGD Labs to improve their AIP review tooling - Seatbelt.

  5. In addition to developing a complementary tool that helps highlight potential failure points and ensure the robustness of the layered review process.

  6. Assist with incident response investigations and mitigations.

  7. Following successful voting, on August 2024 we admitted our roles as signers for both the governance guardian and protocol emergency guardian.

  8. We will continue to act in full trust of the DAO and in collaboration with the rest of the contributing parties to train and act according to the DAO’s best interest.

With the current engagement coming to an end, we propose our services for the fourth time, offering new contribution channels to the ecosystem in addition to the existing ones.

Scope

We present the suggested scope for the following year:

  • Year-round availability of a dedicated team for review of new code. This includes manual reviews and formal verification of smart contracts, as well as the use of additional tools as necessary.

  • 24/7 availability for incident response investigations and mitigation. Of course, this is in full collaboration with the relevant developing entities and BGD Labs, the DAO’s security coordinator.

  • Full responsibility for reviewing every AIP that goes on-chain, preventing any faulty or malicious proposals from being executed and ensuring the highest-standard procedures are met.

  • We will develop an invariant-based monitoring system, called Safeguard, with invariants specifically tailored for Aave. The invariants will be written by Certora, assisted by BGD Labs for Aave V3 related components and Aave Labs for Gho related components. Alerts, results and data will be shared with BGD Labs as the system’s security coordinators.

    • Since development is still in the early stages and it’s still undetermined when Safeguard will be up and running in stable form, bringing value to the DAO, we offer this at no additional cost on a best-effort basis.
  • We will continue to develop our governance proposals review tool to improve the overall tooling for the DAO in this domain.
    The tool is currently in an alpha version and used solely by Certora. However, on December 1st, we’re expecting to release a beta version to the other service providers to get their feedback and feature requests. In a later stage, we plan to release the tool for public use.

The annual price for the project is $1.7M: $1.15M is paid in Gho vested linearly over one year, and $550,000 is paid in AAVE tokens vested linearly over one year. A 30-day termination is possible after a vote.

Specification

The payload will create 2 payment streams to the address 0x0F11640BF66e2D9352d9c41434A5C6E597c5e4c8 for a duration of 365 days starting from the end of the previous engagement (Sept. 11, 2024).

  • Create a payment stream of $1.15M Gho to 0x0F11640BF66e2D9352d9c41434A5C6E597c5e4c8 for a total of 365-Delta days.
  • Create a payment stream of $0.55M worth of AAVE to 0x0F11640BF66e2D9352d9c41434A5C6E597c5e4c8 for a total of 365-Delta days.

Where Delta is the number of days from September 11th until execution.

Price of AAVE will be determined using a 30-days average.

Next Steps

  1. Gather community feedback on this ARFC.
  2. If consensus is reached, escalate this proposal to ARFC snapshot stage.
  3. If ARFC snapshot outcome is YAE, escalate to AIP stage.

Disclaimer

Certora is presenting this ARFC independently and is not compensated by any third party for creating this ARFC.

Copyright

Copyright and related rights waived via CC0.

7 Likes

Suporrtive of this ARFC. Certora has been a cornerstone for security within the Aave ecosystem. Their past work should be enough proof and the increase in price is also acceptable.
Thank you for staying with Aave and it’s user

1 Like

Certora has proven to be a critical partner in maintaining and improving the security of the Aave protocol over the past two and a half years. Members of our team were around when they first got involved a the DAO has not had a hiccup since. We understand this spotless record can be attributed to a few parties, but Certora’s work on governance proposal reviews, incident responses, and smart contract formal verification has provided substantial value, definitely ensuring the security and stability of the Aave ecosystem.

This time, the introduction of the Safeguard monitoring system adds another layer of protection, and the proposed price we think is reasonable given Certora’s ongoing commitment and increases in engagement.

1 Like

Given our role as security coordinator of the DAO, we would like to share our opinion on this renewal:

  • As disclosure, similar to with any other entity involved into the security of Aave, we have discussed with Certora in advance about the potential renewal, and preliminarily comment with them that we think the duration, items included and budget are acceptable from our perspective.

  • For transparency with the community, our metrics of evaluation to consider the scope acceptable are the following:

    • Given its continuous nature for 1 year duration, the scope can’t be analysed exclusively as typically security budgets for review, with rate per day/week. However, as the majority of time by Certora is spent on security reviews (approximately 50-75%), if translating the overall requested budget to some type of rate per week, the number even relative high compared with the market, is acceptable given the quality, availability and obvious track record.
    • This type of scope is in practise also a retainer for availability. We can confirm that during the previous period, the occupancy (time the security provider has been directly working on specific reviews versus idle in that area) has been pretty high. Certora can provide exact numbers, but we estimate this to be in the north of 80%-90% of the time. This has direct influence on our estimation of cost and endorsement of this scope.
    • In addition to security reviews, whenever time allows, Certora has worked in complementary security research items, usually requested by us as complement to different developments/improvements we make on the system. Even if not totally visible given its sensitivity for the DAO operations, we can certify it has happened, and have no doubts it will continue after this renewal.
    • During the initial ~2-3 months of Certora doing independent governance proposal reviews, it required an initial period of bootstrapping with close support from our side. However, since then Certora has been performing completely independently their reviews, complementary to all the work both us and other service provider/contributors do pre-chain. This whole framework of redundancy gives important security assurance to the Aave DAO, and we have no doubt that it is the highest quality standard in the whole DeFi ecosystem, with very strong teams, guidelines and safety measures in place. Certora’s role has definitely value in the budget requested.
    • Regarding Safeguard, our feedback to Certora was that we don’t request it, and even if it can give value to Aave, it should not be the priority or affect anyhow resources allocated on the core sections of the engagement. It seems like that on the proposal, so we have nothing against it.
    • Support on incident response also gives additional value to the community. We tend to not share excessive details of internal security procedures (given the nature of software security itself), but we can certify to the community that Certora has always been available for support and expertise in any stage of incident response.
    • Last but not least, Certora has build important unquantifiable expertise about Aave and the way we contribute to the protocol at BGD. That means that quite frequently, it is way more optimal for Certora to do certain reviews than for other parties, given that context is already built.
  • We have an additional request to be included into the proposal. Similar as with any blockchain security company, the business model of Certora is partially based on providing services to different customers and protocols. Historically, this has not been a problem, but we would like to highlight to the DAO a pretty important aspect on service providers engagements (not unique to Certora at all):

    • The Aave DAO has majorly 2 types of services providers: exclusive and non-exclusive. For example, on BGD Labs we are an exclusive provider, meaning that we simply don’t collaborate with any other lending protocol on anything that could hurt directly or indirectly Aave. The rationale is very simple: our contributions and expertise provided to Aave are extremely strategic to the customer (Aave DAO). If we would be contributing to other competitors, would be impossible to not commercially/strategically affect Aave itself. This also applies to other service providers like for example @ACI .
      Then, Aave has non-exclusive service providers too: those are (within minimal respect of standard non-compete policies, conflict of interests and professional ethics) free to collaborate with anybody, including competitors. This is the case of the majority of the Aave DAO contributors, and a very valid model, definitely required for both the service providers and even the health of the Aave DAO.

      However, in the type of collaboration that we (BGD) (as core development exclusive contributor to Aave) and Certora (as non-exclusive security provider) have, things can become “blurry”: we sometimes need to share very deep expertise and strategic aspects towards the Aave protocol with the security provider, while the counterparty is working with others.
      Additionally, we have majorly helped building expertise of aspect like governance reviews, without having any assurance that expertise will not be used with competitors of Aave, what hurts the DAO (the customer that paid both BGD and Certora) and ourselves (our expertise is valuable).
      We have no doubt about Certora’s professionality to segmentate customers, but our request is the following:

      • Whenever starting working with a direct competitor of Aave, Certora must disclose publicly on this forum and internally with us about the collaboration.
      • Full trust from our side is simply a pre-requirement to work with a security entity on a continuous engagement with Aave. In order to preserve that, and as security coordinator, we want to reserve the right to propose to the DAO a closure of the continuous engagement with 1 month of notification, unilaterally from our side, whenever we would have arguments for that trust to be broken or breaking. E.g. (purely hyphothetical), if any internal design we discuss with the security provider will somehow end in with a competitor of Aave or in the public domain without our explicit authorisation, we would propose immediate off-boarding in this forum.



In summary, as security coordinator of the DAO, we support the proposal, with only the extra request for disclosure guidelines and termination clause.

3 Likes

This is quite a large addendum that I imagine most legal teams (on Certora’s side and Aave’s side) would want assurances about. As this is worded:

if any internal design we discuss with the security provider will somehow end in with a competitor of Aave or in the public domain without our explicit authorisation, we would propose immediate off-boarding in this forum.

How is this something like this to be adjudicated? Ideas spread quickly in defi, particularly when the relevant information (code) is public. Consider even the mechanisms of Aave. Quite a lot of designs have been copied from Aave and used elsewhere. And likewise, Aave has also used ideas from other lending protocols and integrated it into its current design and future roadmap. This is the natural end result of competition and certainly we should want some protections built in.

Given the severity of such a clause on immediate offboarding, it seems quite important to have clarity on the language here. What precisely are the terms for termination? As the request is written right now, there is quite a lot of downside for @Certora here that can materialize even if there is no wrong doing on their part. For instance, there is too much room for interpretation on the clause “whenever we would have arguments for that trust to be broken”.

For clarification, the second component of our request doesn’t really break any type of standard procedures of the Aave DAO: in practise, for any type of engagement or closure of it, an on-chain Aave Governance proposal needs to be submitted and approved by AAVE token holders. The DAO is the sole decision maker.

And we are referring to cases of private information, both code that is not public or any type of research done internally.


Our request is simply to establish certain minimal governance procedures for that type of situation, because as we outlined, the situation is the following: if a service provider is exclusive, by definition the trust on it is different compared with non-exclusive. And if our scope is to coordinate security efforts for the DAO, minimally we need to have certain trust to be able to communicate to the DAO itself when we determine a partner is adequate or not.

Our only objective with this is to add extra protection on the DAO side for this and future cases, as both development and security are very critical areas. But again, there should not be any reason for this situation to materialise, as we have no doubt on the professionalism of Certora; so our support on the proposal.

2 Likes