Title: [ARFC] Continuous Security Proposal Aave <> Certora

Author: Certora

Date: 2024-20-09

Summary

With 2.5 years of continuous collaboration and contribution to Aave’s ecosystem behind us, we’re as excited about the protocol’s future as we were on day one!

We offer an extension of our engagement with the DAO for a total period of 12 months. The scope of our offering is divided into 2 parts for transparency on pricing and operational commitment:

1. Extending the existing services for Aave V3, which include:

2. A full-time dedicated team available to consult, research, and review maintenance work, and new developments.

3. Full ownership over governance proposal reviews - reviewing every governance proposal initiated on-chain.

4. 24/7 availability for incident response, supporting the technical providers in the investigation and mitigation of emerging bugs.

Note that the scope includes all existing V3 instances and all future EVM-based V3 instances.

The price for the above scope is $1.7M. ⅔ of the price, $1.15M, will be made in Gho and ⅓, $0.55M, in AAVE.

2. Safeguarding transactions against unknown attacks

3. We will develop Safeguard, a modified Ethereum client based on geth client for real-time monitoring and invariant checking for Aave V3.

4. We will write and monitor the invariants in real time to add another layer of security to the protocol and collaborate with the relevant entities to investigate and mitigate any suspicious transactions.

Note that Safeguard is a complementary security service we provide free of charge for all existing AAVE V3 instances and all future EVM-based V3 instances.

Price Explanation

Last year, we reduced our prices from $2.7M to $1.5M to reflect the bear market. This year, we suggest a small increase to cover the rise in our costs.

Our regular annual price for professional services is $2.7M. We decided to reduce the price by 37% to $1.7M, to reflect our commitment to Aave’s security.

As in previous years, we request a ⅔-⅓ price breakdown of stablecoin and AAVE, respectively. As service providers and DAO members, we are strong believers in the alignment of long-term players with the protocol. Over the years, not a single AAVE token we received was sold, and the governance power was put to work through delegation to both ACI and StableLabs, which we track closely.

Background and Motivation

In March 2022, we presented a proposal to serve as a DAO security provider, collaborating with the other technical contributors to help Aave deploy the finest and most secure product on the market. In the next six months, we collaborated with both BGD Labs and Aave Labs on several high-profile projects, including the AAVE token V3, governance cross-chain bridge, and Gho token.

Since then, we have continuously served the DAO as a security provider, assisting with dozens of new feature deployments and protocol improvement upgrades (Sept 2022 - Sept 2023, Sept 2023 - Sept 24), preventing several critical bugs from going live and assisting with mitigation of live bugs upon emergence.

In addition to conducting security reviews and formal verification, we also:

1. Conducted several focused research and investigation efforts of components and features within the ecosystem, reporting to the developing entities about the results and recommending actions to be taken.

2. Led 6 community efforts to review and formally verify new and existing Aave code. This included extensive education of the independent researchers community on the protocol and ecosystem as a whole.

3. Took full ownership of on-chain governance proposal reviews, reviewing so far 153 proposals, finding 4 bugs since February.

4. We’re also continuously working with BGD Labs to improve their AIP review tooling - Seatbelt.

5. In addition to developing a complementary tool that helps highlight potential failure points and ensure the robustness of the layered review process.

6. Assist with incident response investigations and mitigations.

7. Following successful voting, on August 2024 we admitted our roles as signers for both the governance guardian and protocol emergency guardian.

8. We will continue to act in full trust of the DAO and in collaboration with the rest of the contributing parties to train and act according to the DAO’s best interest.

With the current engagement coming to an end, we propose our services for the fourth time, offering new contribution channels to the ecosystem in addition to the existing ones.

Scope

We present the suggested scope for the following year:

• Year-round availability of a dedicated team for review of new code. This includes manual reviews and formal verification of smart contracts, as well as the use of additional tools as necessary.

• 24/7 availability for incident response investigations and mitigation. Of course, this is in full collaboration with the relevant developing entities and BGD Labs, the DAO’s security coordinator.

• Full responsibility for reviewing every AIP that goes on-chain, preventing any faulty or malicious proposals from being executed and ensuring the highest-standard procedures are met.

• We will develop an invariant-based monitoring system, called Safeguard, with invariants specifically tailored for Aave. The invariants will be written by Certora, assisted by BGD Labs for Aave V3 related components and Aave Labs for Gho related components. Alerts, results and data will be shared with BGD Labs as the system’s security coordinators.

  • Since development is still in the early stages and it’s still undetermined when Safeguard will be up and running in stable form, bringing value to the DAO, we offer this at no additional cost on a best-effort basis.

• We will continue to develop our governance proposals review tool to improve the overall tooling for the DAO in this domain.
  The tool is currently in an alpha version and used solely by Certora. However, on December 1st, we’re expecting to release a beta version to the other service providers to get their feedback and feature requests. In a later stage, we plan to release the tool for public use.

The annual price for the project is $1.7M: $1.15M is paid in Gho vested linearly over one year, and $550,000 is paid in AAVE tokens vested linearly over one year. A 30-day termination is possible after a vote.

Specification

The payload will create 2 payment streams to the address 0x0F11640BF66e2D9352d9c41434A5C6E597c5e4c8 for a duration of 365 days starting from the end of the previous engagement (Sept. 11, 2024).

• Create a payment stream of $1.15M Gho to 0x0F11640BF66e2D9352d9c41434A5C6E597c5e4c8 for a total of 365-Delta days.
• Create a payment stream of $0.55M worth of AAVE to 0x0F11640BF66e2D9352d9c41434A5C6E597c5e4c8 for a total of 365-Delta days.

Where Delta is the number of days from September 11th until execution.

Price of AAVE will be determined using a 30-days average.

Next Steps

1. Gather community feedback on this ARFC.
2. If consensus is reached, escalate this proposal to ARFC snapshot stage.
3. If ARFC snapshot outcome is YAE, escalate to AIP stage.

Disclaimer

Certora is presenting this ARFC independently and is not compensated by any third party for creating this ARFC.

Copyright

Copyright and related rights waived via CC0.

Suporrtive of this ARFC. Certora has been a cornerstone for security within the Aave ecosystem. Their past work should be enough proof and the increase in price is also acceptable.
Thank you for staying with Aave and it’s user

Certora has proven to be a critical partner in maintaining and improving the security of the Aave protocol over the past two and a half years. Members of our team were around when they first got involved a the DAO has not had a hiccup since. We understand this spotless record can be attributed to a few parties, but Certora’s work on governance proposal reviews, incident responses, and smart contract formal verification has provided substantial value, definitely ensuring the security and stability of the Aave ecosystem.

This time, the introduction of the Safeguard monitoring system adds another layer of protection, and the proposed price we think is reasonable given Certora’s ongoing commitment and increases in engagement.

Given our role as security coordinator of the DAO, we would like to share our opinion on this renewal:

• As disclosure, similar to with any other entity involved into the security of Aave, we have discussed with Certora in advance about the potential renewal, and preliminarily comment with them that we think the duration, items included and budget are acceptable from our perspective.

• For transparency with the community, our metrics of evaluation to consider the scope acceptable are the following:

  • Given its continuous nature for 1 year duration, the scope can’t be analysed exclusively as typically security budgets for review, with rate per day/week. However, as the majority of time by Certora is spent on security reviews (approximately 50-75%), if translating the overall requested budget to some type of rate per week, the number even relative high compared with the market, is acceptable given the quality, availability and obvious track record.
  • This type of scope is in practise also a retainer for availability. We can confirm that during the previous period, the occupancy (time the security provider has been directly working on specific reviews versus idle in that area) has been pretty high. Certora can provide exact numbers, but we estimate this to be in the north of 80%-90% of the time. This has direct influence on our estimation of cost and endorsement of this scope.
  • In addition to security reviews, whenever time allows, Certora has worked in complementary security research items, usually requested by us as complement to different developments/improvements we make on the system. Even if not totally visible given its sensitivity for the DAO operations, we can certify it has happened, and have no doubts it will continue after this renewal.
  • During the initial ~2-3 months of Certora doing independent governance proposal reviews, it required an initial period of bootstrapping with close support from our side. However, since then Certora has been performing completely independently their reviews, complementary to all the work both us and other service provider/contributors do pre-chain. This whole framework of redundancy gives important security assurance to the Aave DAO, and we have no doubt that it is the highest quality standard in the whole DeFi ecosystem, with very strong teams, guidelines and safety measures in place. Certora’s role has definitely value in the budget requested.
  • Regarding Safeguard, our feedback to Certora was that we don’t request it, and even if it can give value to Aave, it should not be the priority or affect anyhow resources allocated on the core sections of the engagement. It seems like that on the proposal, so we have nothing against it.
  • Support on incident response also gives additional value to the community. We tend to not share excessive details of internal security procedures (given the nature of software security itself), but we can certify to the community that Certora has always been available for support and expertise in any stage of incident response.
  • Last but not least, Certora has build important unquantifiable expertise about Aave and the way we contribute to the protocol at BGD. That means that quite frequently, it is way more optimal for Certora to do certain reviews than for other parties, given that context is already built.

• We have an additional request to be included into the proposal. Similar as with any blockchain security company, the business model of Certora is partially based on providing services to different customers and protocols. Historically, this has not been a problem, but we would like to highlight to the DAO a pretty important aspect on service providers engagements (not unique to Certora at all):

  • The Aave DAO has majorly 2 types of services providers: exclusive and non-exclusive. For example, on BGD Labs we are an exclusive provider, meaning that we simply don’t collaborate with any other lending protocol on anything that could hurt directly or indirectly Aave. The rationale is very simple: our contributions and expertise provided to Aave are extremely strategic to the customer (Aave DAO). If we would be contributing to other competitors, would be impossible to not commercially/strategically affect Aave itself. This also applies to other service providers like for example @ACI .
    Then, Aave has non-exclusive service providers too: those are (within minimal respect of standard non-compete policies, conflict of interests and professional ethics) free to collaborate with anybody, including competitors. This is the case of the majority of the Aave DAO contributors, and a very valid model, definitely required for both the service providers and even the health of the Aave DAO.

    However, in the type of collaboration that we (BGD) (as core development exclusive contributor to Aave) and Certora (as non-exclusive security provider) have, things can become “blurry”: we sometimes need to share very deep expertise and strategic aspects towards the Aave protocol with the security provider, while the counterparty is working with others.
    Additionally, we have majorly helped building expertise of aspect like governance reviews, without having any assurance that expertise will not be used with competitors of Aave, what hurts the DAO (the customer that paid both BGD and Certora) and ourselves (our expertise is valuable).
    We have no doubt about Certora’s professionality to segmentate customers, but our request is the following:

    • Whenever starting working with a direct competitor of Aave, Certora must disclose publicly on this forum and internally with us about the collaboration.
    • Full trust from our side is simply a pre-requirement to work with a security entity on a continuous engagement with Aave. In order to preserve that, and as security coordinator, we want to reserve the right to propose to the DAO a closure of the continuous engagement with 1 month of notification, unilaterally from our side, whenever we would have arguments for that trust to be broken or breaking. E.g. (purely hyphothetical), if any internal design we discuss with the security provider will somehow end in with a competitor of Aave or in the public domain without our explicit authorisation, we would propose immediate off-boarding in this forum.

In summary, as security coordinator of the DAO, we support the proposal, with only the extra request for disclosure guidelines and termination clause.

This is quite a large addendum that I imagine most legal teams (on Certora’s side and Aave’s side) would want assurances about. As this is worded:

if any internal design we discuss with the security provider will somehow end in with a competitor of Aave or in the public domain without our explicit authorisation, we would propose immediate off-boarding in this forum.

How is this something like this to be adjudicated? Ideas spread quickly in defi, particularly when the relevant information (code) is public. Consider even the mechanisms of Aave. Quite a lot of designs have been copied from Aave and used elsewhere. And likewise, Aave has also used ideas from other lending protocols and integrated it into its current design and future roadmap. This is the natural end result of competition and certainly we should want some protections built in.

Given the severity of such a clause on immediate offboarding, it seems quite important to have clarity on the language here. What precisely are the terms for termination? As the request is written right now, there is quite a lot of downside for @Certora here that can materialize even if there is no wrong doing on their part. For instance, there is too much room for interpretation on the clause “whenever we would have arguments for that trust to be broken”.

For clarification, the second component of our request doesn’t really break any type of standard procedures of the Aave DAO: in practise, for any type of engagement or closure of it, an on-chain Aave Governance proposal needs to be submitted and approved by AAVE token holders. The DAO is the sole decision maker.

And we are referring to cases of private information, both code that is not public or any type of research done internally.

Our request is simply to establish certain minimal governance procedures for that type of situation, because as we outlined, the situation is the following: if a service provider is exclusive, by definition the trust on it is different compared with non-exclusive. And if our scope is to coordinate security efforts for the DAO, minimally we need to have certain trust to be able to communicate to the DAO itself when we determine a partner is adequate or not.

Our only objective with this is to add extra protection on the DAO side for this and future cases, as both development and security are very critical areas. But again, there should not be any reason for this situation to materialise, as we have no doubt on the professionalism of Certora; so our support on the proposal.

Thanks, @EzR3aL, @PGov, and @bgdlabs, for your support. It’s extremely important for us to hear the community’s feedback on our past work and the road ahead.

We would like to reply to a couple of points raised here by @bgdlabs and @midapple:

In the OP, we released the list of projects we worked on during the past year (Sept 2023 - Sept 24). Taking into account a couple of confidential efforts we cannot mention here, our occupancy on new development review and formal verification alone is 88% of the time, meaning that on 321 days out of the agreed-upon 365, our team reviewed new code. Moreover, at times we were required to perform multiple reviews in parallel, usually due to a tight timeline from the developing entities. When we were called upon, we made sure to expand our team accordingly to handle the load and fulfil the DAO’s needs. Taking this into account, the total number of days we worked on new code reviews tallies to 448 days (counting multiple times the days we worked on multiple projects in parallel). This brings us to 123% review time in practice.

However, it doesn’t end here. Counting the days of reviewing new projects does not demonstrate the entire value we give to the DAO.

In the 8 months since we took ownership of governance proposal reviews (Feb 5 - Oct 6, 2024), we reviewed 160 AIPs — a rate of 20 proposal reviews per month on average in parallel to any new development reviews.

Any “Idle time” our team had, not performing reviews and formal verification of new development was put to use in various areas:

1. Defining needs, analyzing data and hands-on development of tooling for:
   1.1. Our governance proposal review tool (Quorum). It is now opensource.
   1.2. Another formal verification-related integration.

2. Doing important organizational work to improve and formalize our procedures and services e.g. onboarding multiple team members for Aave governance reviews to create redundancy in this time-critical job, and defining clear guidelines for governance review procedures in Certora.

3. Doing important technical maintenance work that accumulates with time, e.g. upgrading CI on various Aave repositories due to structural modifications by BGD or prover upgrades.

We fully agree with the points raised here on the importance of disclosure and confidentiality. Certora has always acted with Aave’s best interest in mind and will continue to uphold strict confidentiality regarding sensitive information. While we have established relationships with other DeFi protocols, including lending protocols, we will never share internal discussions or any confidential data without prior approval from the relevant entities. We also wish to stress that Certora is allocating a dedicated team to Aave. This means the team members aren’t assigned to any work with other protocols - competitors or not. This results in no leak of information and expertise from the team to competitors.

To further enhance transparency with the Aave community, we will soon share the list of lending protocols we’re engaging with and the type of our engagement with them (after getting their consent)

We also wish to remind the DAO that we have historically inserted a 30-day notice termination clause in every continuous engagement offer we proposed, including the current one.

We hope our response clarifies a little more about our work, ethics and procedures.

We look forward to continuing our collaboration with the Aave community and further strengthening the security of our ecosystem together! In the meantime, we’d love to hear more questions and feedback from the community.

We’re very much in support of this ARFC. Certora has been an invaluable partner to the Aave DAO and renewing their services is necessary to ensure the continued security of the Aave protocol.

One interesting point brought up by @bgdlabs is around the disclosure guidelines. From a legal perspective, judging any ‘internal design’ falling into the hands of a competitor or in the public domain may not be the most straightforward, but we do agree with the sentiment behind BGD’s point. We think Certora’s response is more than appropriate and their 30-day notice termination clause adequately covers BGD’s request for a termination clause.

There is another issue worth flagging to the community:

As in previous years, we request a ⅔-⅓ price breakdown of stablecoin and AAVE, respectively. As service providers and DAO members, we are strong believers in the alignment of long-term players with the protocol. Over the years, not a single AAVE token we received was sold, and the governance power was put to work through delegation to both ACI and StableLabs, which we track closely.

I have concerns about the potential for conflicts of interest in promising delegating governance power to ACI and StableLabs, who are significant voters on this proposal. This arrangement poses undue influence on the voting process as something of monetary value is explicitly being promised to two voters.

We have also seen basically all other service providers being paid in GHO. I see no reason why @Certora should be any different. If the goal is to have higher upside in the contract, then increase the service fee or restructure the compensation structure. Otherwise, the community has already showed a preference for paying service providers entirely in GHO.

Even if I did it already in the past, I would like to comment on this, from my personal perspective as AAVE holder, and not really due to my involvement on BGD Labs.

Back in the days, some type of “soft agreement” was established in the community about compensating in $GHO (not other stablecoins) and not on $AAVE, even in partially.
Now, with all due respect to the community, this is simply nonsense, and the only thing it does on the short term is hurting the DAO itself, for the following reasons:

• From the Aave DAO perspective, there is 0 downside for entities doing regular contributions to have exposure on the governance token. If you want contributors caring even directly, what really is the issue with compensating in governance token partially?
  Sure, entities are free to use them however seeing fit, but in the case of Certora they are even delegating their voting power, meaning benefiting directly governance dynamics.
  Creating trends against that is close to ridiculous, knowing that the community is always striving to mobilise more governance power participating and putting “skin in the game” on contributors.
• Treasury contributors should comment on it (cc @karpatkey_TokenLogic ), but for the DAO, it seems very obvious to me that compensating partially on $AAVE is just optimal.
  Rationale is that on the short term, the DAO has less “cash” (e.g. stablecoins) than governance tokens, “cash” that mandatorily needs to be used for operations.
  So treasury-wise, the value of let’s say $1 in USDC for the DAO is higher than the value of $1 equivalent in $AAVE.
• Regarding $GHO, the DAO via its GLC (GHO Liquidity Committee) runs different strategic to build liquidity for GHO on secondary market, supporting adoption.
  Now, by paying in $GHO to service providers, that means direct selling pressure, because at this stage, GHO adoption is simply not enough for using the asset as operational MoE: e.g. salaries will go to fiat from GHO one way or another.
  So the GLC is supporting the build up of liquidity depth, while the Aave DAO (its employer) is basically creating trends that implicitly “eat” into that liquidity built. I think it is pretty obvious why that is not good.
  Of course, GHO at the moment is a pretty stable asset is really acceptable as payment in SPs engagement, but paying exclusively in GHO all the expenses of the DAO only means that first, that at current size, the DAO needs to buy that GHO; second, the SPs needs to sell that GHO, totally or partially.

It is probably the moment to introduce a bit of rationality on this.

I think @eboado is right here. I myself in the past said it’s better to pay in GHO or other stables. But after talking to finance and growth SP I have learned better. Stables are hard cash for us we can use better. There is no sell pressure on GHO and because Certora is delegating those Aave token we are simply getting more governance activity.
I would only suggest to Certora to think about splitting to more delegates to create a better balance.

Thank you for your reply @midapple.

We understand and appreciate your concern about the compensation composition and conflict of interest.

Starting with the composition, as we wrote in the OP and like @eboado mentioned, as active DAO members, we think that paying a portion of the compensation to SPs in AAVE has a few upsides:

1. An SP who requests compensation in AAVE signals a long-term commitment and shows they are willing to put skin in the game. For an SP, there’s little incentive to request AAVE just to convert it to cash, especially when stablecoins are an easier option for those who need liquidity. If an SP needs/wants their payment in cash the safest strategy is to ask for compensation 100% in stablecoins.
2. Accepted SPs, by definition, are valuable to the DAO. They are trusted to perform development and maintenance work given their capabilities to benefit the DAO. Given our explanation in point No. 1, we think that keeping these capable entities as stakeholders in the ecosystem is beneficial. Even should an SP get offboarded from the DAO as we saw in the past, they still have little incentive to hurt the DAO intentionally given their stakes.

Now of course we are aware that paying large sums of AAVE to a single entity makes the DAO prone to price manipulation or just high volatility in AAVE prices due to large centralization of the token’s holding. That’s why in reality we believe that the portion paid in AAVE needs to consider the fact that SPs have operational expenses and that, in the short-to-mid term, they will need cash to pay wages, etc. This is why we’re asking for the majority of our compensation in stablecoin.

We are also aware that the DAO prefers to pay in GHO for obvious reasons, and this is why we ask for the “cash” portion of the compensation to be paid in GHO instead of any other stablecoin.

Regarding the conflict of interest, having explained why we think compensating significant SPs in AAVE is beneficial to the DAO, we need to also highlight that due to our high occupancy, we cannot maintain the high participation rate that we believe is appropriate from a significant stakeholder. This is why we support a representative approach to governance participation. Once a year we consider our representative subject to several parameters - participation rate, transparency and elaboration of reasoning for voting on each proposal and actual voting decisions on core subjects that we have strong opinions on.

Our current delegation split is as follows:

• Proposition Power: Our entire proposition power is delegated to @ACI. We believe that ACI facilitates a lot of the overhead of AIPs through the Skyward program, and so far, we have only positive things to say about them and their operation. We see a great benefit to the DAO in maintaining ACI in a proposition readiness position at any given time, and by delegating to them, we help in both promising a significant surpassing of the proposition power needed to propose and diversity of proposition power sources.

• Voting Power: Our entire voting power is delegated to StableLabs (@Kene_StableLab). We recently reconsidered our delegation for the new year and decided that we’re happy with StableLabs. Their participation rates are among the highest in the DAO, their delegate platform is well-maintained, and one of the most elaborative in the DAO, and we are yet to find them disagreeing with us on what we consider core decisions.

The fact is that the alternative to our delegating is potentially a low to medium participation rate and, hence, a lower diversity of opinions on the majority of AIPs.

With that being said, we see the benefit of diversifying our voting power delegates to multiple entities like @EzR3aL suggested, and we will consider doing it in the near future.

Thanks for the discussion @eboado. The more important issue is the promise of delegation to two voters, which is my primary concern. I do not think it is debatable to say that this is a clear conflict of interest that should be avoided, or at the very least explicitly called out and discouraged. It is not too hard to see how this can be viewed as Certora bribing its way towards renewal and ensuring that it gets renewed in subsequent years as the delegates it has promised delegating to continue to accrue governance power. These concerns are valid regardless of the quality of @Certora’s services and the identity of the delegated parties. At minimum, there should be no promises on how the delegated power is to be used.

Regarding compensation with GHO: I do not have a strong opinion either way. I will say that your arguments against GHO being used for compensation can be summarized as: “We should avoid paying Aave service providers in Aave’s stablecoin because our stablecoin is not well suited for payments.”
So it seems to me that the solution is to improve the stablecoin product.

Thanks @Certora for your response and the information about the delegation split. The rationale for who is receiving the delegation makes sense. As mentioned in my previous paragraph above, this is not about the choice of the delegated parties. But now that we’re on this topic anyhow, I think it would actually be beneficial to the DAO if some/all of the proposition power is delegated to another party for further distribution of this power. Even if Skyward is a service to be made available for all, this is still a centralization vector. We have seen proposals delayed for months with little transparency into why that is the case:

• [ARFC] Add gmBTC on Arbitrum V3 - #9 by bgdlabs
• ARC Proposal: Onboarding sfrxETH from Frax Protocol to Aave V3 Ethereum Market - #21 by ApuMallku

It would be good for the DAO to have another entity/party making proposals to further decentralize as @EzR3aL has mentioned.

Proposal has been escalated to ARFC Snapshot.

Vote will start tomorrow. We encourage everyone to participate.

• Not particularly in favour for unilaterally cutting agreements by another service provider without a governance vote, any such should be done by the governance (anyone can raise such proposals if there are severe doubts of the service provider’s ability to perform or their dedication to their commitment or to any arising obligation that comes with the commitment is questionable).

• Disclosures do make sense since they help to assess any potential conflicts.

• Agree on the idea to favour more payments in AAVE to advance skin-in-the-game but would see more of a case by case basis and mixture, but ensuring that it’s not skewing towards mainly GHO (the cash component of the DAO).

Overall supportive of Certora’s proposal in the current form.

Certora has been a valuable contributor to the Aave Protocol, and we are glad to support this proposal.

After Snapshot monitoring, the current ARFC Snapshot has just ended, reaching both Quorum and YAE as winning option, with 766K votes.

Therefore, the ARFC has PASSED.

Next step will be the publication of an AIP for final confirmation.