Simple summary
Proposal for the Aave DAO to host a Sherlock contest for the upcoming Aave v3.3 upgrade (codebase HERE, even if potentially having very light modifications pre-contest), to complement the other security procedures already completed or in process.
The budget will be $230,000, with a $195,000 fixed prize pool and the rest ($35,000) allocated to the platform and judging fees.
Motivation
In the middle of December 2024, we shared with the community a proposal for an Aave v3.3 upgrade, focused on adapting the protocol for the upcoming Umbrella system (a new iteration of the Aave Safety Module), together with doing different improvements mainly on the liquidation engine.
The reception by the community has been positive, and since then we have been doing internal reviews and different security procedures. In addition to those, and similar to how we proposed back in Aave v3.1 with Cantina, we think due to the nature of this upgrade it can be pretty positive to have an open security contest to maximize the numbers of experts looking for any type of problem in the codebase.
Even if the experience and outcome with Cantina was pretty positive, part of our security approach is to try different providers, whenever they look solid quality-wise, and/or introduce new mechanics, like in the case of Sherlock.
Specification
After discussing with the Sherlock team about the most optimal configuration for the contest, we think the following is appropriate for this v3.3 upgrade scope:
-
The budget and pot size/rules are as follows:
-
160k on the open prize pot, to be distributed based on findings and the ranking mechanics of Sherlock.
-
35k amount reserved for 5 Sherlock senior researchers (Watsons). Aside from the expertise they will directly bring, this also works pretty well with the game theory of the Sherlock contest (more after), as their ranking will be in the line.
-
35k as platform fee for Sherlock, including judging.
-
Fix contest pot, not conditional. This means the whole amount will be distributed to researchers depending on their performance and the points mechanics, not conditional to any type of high-level finding.
We believe security contests should be as fair as possible for participants, and conditional contests (not distributing the whole contest “pot” unless issues of high criticality are found) can lack that perceived fairness whenever the codebase has been already audited, as in our case. In addition, Sherlock has ELO-like mechanics (Watson points) that help to create an optimal environment from a game theory perspective.
-
-
The contest will last 9 calendar days, an amount of time that was deemed sufficient after discussions with the Sherlock team.
-
The start of the competition will depend on governance procedures timing, but once approved, the target will be the beginning of the week on Monday 13th.
-
As additional value, the contest will include a coverage of $250’000 to be applied on any finding related to the scope, once the codebase is in production, during the first month.
-
Only current or previous team members during the last 6 months of BGD Labs or the auditors of v3.3 are non-eligible for any prizes in the competition, given the conflict of interest. Any other entity or individual is allowed to participate.
Next steps
- To not have any blocker for the planned start date of the 13th, we will immediately proceed with an ARFC Snapshot for pre-approval.
- If the ARFC is positive, we will proceed with all preparations of the contest, supporting the Sherlock team.
In parallel, we will create an AIP for the funding of the contest.
