First of all, we thank BGD for their thorough analysis and are pleased to note their overall positive feedback on the Maple protocol.
At Maple, we operate to the highest institutional, technical, and security standards. We welcome constructive feedback, and we are proactively taking BGD’s recommendations onboard. The Maple team is already working to address these points and implement the solutions outlined below.
Maple will address the three identified recommendations as follows:
Governor Multisig Timelock
BGD recommendation (1): The Globals singleton contract upgrades that are not time-locked have enough rights to modify critical parts of the system in a scenario where the upgradable admin (currently controlled by the Governor) has its signers’ keys exploited by a malicious actor.
BGD recommendation (2): The Governor + SecurityAdmin pattern can bypass the timelock, which is only enforced when the Pool Delegate initiates the upgradable calls of critical contracts within the system. This could break the system, similar to the scenario above, if a malicious actor gains complete control.
Maple’s Response: To address Recommendations (1) and (2), Maple will update the Governor Multisig to include a 24-hour timelock for all function calls and on-chain actions across the Maple protocol. The Governor Multisig will interact with an immutable smart contract enforcing this timelock for every call, ensuring that even if the multisig is compromised, no changes can be executed instantly.
Maple will make sure to involve BGD in the implementation process to ensure it meets all requirements. Once completed, Maple will request a final review from BGD before jointly updating the Aave community on the forum and being ready for the vote.
Impairment Function - Security Update
BGD recommendation (3): The impairment/disabling strategies action is not time-locked, which could lead to a rapid rate drop, resulting in multiple liquidations and potential bad debt on Aave. A similar scenario could occur if a malicious actor gains control over one of the addresses responsible for this role. We have recommended the Maple team to re-evaluate this flow, to be more defensive, even if keeping the impairment/disabling levers required for the protocol to work.
Maple’s Response: To address Recommendation (3), Maple reaffirms its commitment to the institutional security practices and operational procedures expected of the largest on-chain asset manager. In addition, we will further strengthen the multisig signing policy for impairment and disabling actions.
Finally, Maple will publish a detailed, transparent procedure outlining the process for impairing or defaulting a loan, including the specific steps and conditions required.
Conclusion
With these implementations, Maple is confident that BGD’s concerns are fully addressed. We remain committed to collaborating closely with BGD to ensure the solutions meet their standards and those of the Aave ecosystem and community.