[ARFC] BGD. Aave 3.1 Cantina competition

Simple summary

Proposal for the Aave DAO to have a Cantina security competition for the upcoming Aave v3.1 upgrade, to complement the other security procedures already completed.
The budget will be a total of $195’000, with $150’000 prize pool and the rest ($45’000) allocated to platform and judging fees.

Motivation

With the Aave v3.1 upgrade well received by the community, and now entering into its final stages of pre-activation governance procedures, from the BGD side we have been thinking on how to add even more security assurances, in addition to what was already done and described HERE.

Open security competitions/contests are getting important adoption as a good pre-production mechanism: a scope is defined for some public code, and any security researcher can look into it for a limited period of time, in order to the prizes from a common prize pool. The more bugs found (and more unique, amongst other characteristics of the finding), the better the rewards.

We think that a competition can have extra security value for the improvements included into Aave v3.1, and after evaluating different solutions in the market, we have decided that doing an open Cantina competition fits into our requirements.

Specification

After discussions with their team regarding options, we propose to create a Cantina competition with the following characteristics:

• $150’000 total prize pot, with the following limitations:

  • If there is any High (highest grade) finding, the whole $150’000 prize pot will be distributed.
  • If there is only Medium or lower grade findings, $50’000 prize pot will be distributed.
  • If there is only Lower/Informational, $20’000 prize pot will be distributed.

  The total of funds will be transferred initially to Cantina, and if applicable reimburse afterwards to the Aave DAO contracts.

• 20% fees over the total prize pot, amounting $30’000. Additional $15’000 for Cantina judging.

• The competition will last for 10 calendar days.

• Start of the competition will depend on governance procedures timing, but if all are approved, the target will be beginning of the week of May 6th.

• Before the start, BGD Labs will collaborate with Cantina to have the best possible setup for researchers to tackle the competition, including but not limited to all required extra documentation. During the competition, we will also give all necessary support.

• The execution of the on-chain AIP proposal will act as a binding agreement between the Aave DAO and Cantina.

• Only current or previous team members of BGD Labs and Certora, MixBytes (auditors of v3.1) during the last 6 months are non-eligible for any prizes in the competition, given the conflict of interest. Any other entity or individual is allowed to participate.

Next steps

• In the following days, we will create an ARFC Snapshot for the pre-approval of the Competition.
• In parallel, we will start preparations for a positive outcome, including the AIP that will mark the final approval, releasing the funds.

As following step, we have created an ARFC Snapshot for governance to pre-approve the competition.

Voting will start in approximately 24 hours, participate

https://snapshot.org/#/aave.eth/proposal/0x79de5212e90a562918f72d47809bba5af1221cce4a8cd6dd38b89f38984e90ee

Over the years, Aave has built a strong security culture by enlisting the help of the best security researchers in the ecosystem; initiatives such as this reinforce Aave’s continued commitment to an active culture of security best practices. We would be glad to support this proposal.

Holding a competition to find bugs is very effective and a good use of Aave’s security budget. The format of the competition is cost-effective for the DAO and incentivises researchers to find the most high-impact bugs and issues. We are happy with the Conflict of Interest provisions included in the proposal as well. One area we would like to get some more information on are the fees. @bgdlabs, what would these be used for and is there a breakdown, given there is already a $15k Cantina allocation for judging?

Other than this, we are happy to vote YES in favour of this proposal.

Hello @sid_areta .

Regarding the fees, they are split as follows:

• Judging fees - $15’000. Operationally, judging of submissions in the contest is done by Cantina, and only the “cleaned” bugs found arrive to team associated with the project to do the final check (ourselves BGD).
• Marketplace fee - 20% of prize pot ($30’000). Cantina is a marketplace/hub of sorts, and this is their fee for running it, both operationally, attrating competition participants or infrastructure wise.

Thanks for the clarification!

After the positive outcome at the ARFC stage, we have created an on-chain AIP for the final approval of the Aave v3.1 Cantina competition.

Voting will start in approximately 24 hours, participate
https://vote.onaave.com/proposal/?proposalId=97