We can finally share that all security procedures regarding the Aave v3.3 upgrade have been finished.
To summarise:
- The final version of the Aave v3.3 codebase can be found at https://github.com/aave-dao/aave-v3-origin/pull/87
- The security procedures applied to it have been:
- A security audit by Certora, with the report HERE.
- Overview: Finding an interesting problem of deficit not being properly considered in the interest rate strategy, usually not creating any issue, but potentially doing it in extreme deficit scenarios.
- A security audit by StErMi, with report HERE.
- Overview: As usual, very insightful security review, with the most interesting finding most probably being related to the very custom behavior of GHO on Core, and its handleRepayment/accumulatedDebtInterest dynamics, causing slight accounting deviation during liquidations on specific GHO accounts.
- A security audit by Oxorio, with report HERE.
- Overview: final audit on the codebase together with the Sherlock contest, with as expected, no meaningful finding.
- Sherlock contest, with report HERE.
- Overview: very good participation, with 435 whitehats, amongst them, 274 “risking” the ELO ranking on the contest, and 22 out of the top 100.
Even if there was no finding requiring fixing, we observed important analysis of the protocol in multiple submissions, proven on 3 out of 4 bounties distributed on Immunefi (outside the v3.3 contest scope), being from contest’s participants, checking other parts of the Aave protocol.
- Overview: very good participation, with 435 whitehats, amongst them, 274 “risking” the ELO ranking on the contest, and 22 out of the top 100.
- In addition, and even if we would expand on it in a separate thread, we have collaborated since Aave v3.2 (Liquid eModes) with Enigma Dark to create a Foundry-based fuzzing invariant suite for the whole Aave v3.3 codebase.
The suite is publicly available and runnable HERE.- Overview: A more comprehensive analysis will be done, but this suite increases even more the testing coverage of the Aave protocol as a whole, aligned with its Foundry setup, and using under the hood the Echidna tool by Trail of Bits.
- A security audit by Certora, with the report HERE.
Once our internal reviews are finished, we will create the Aave governance proposal for the DAO to vote on the activation of Aave v3.3 across all active networks, with ETA during the first part of next week.
In addition to the already covered $230’000 expenses on Sherlock, and the implicit/proportional cost for the DAO of Certora, an extra $66’400 has been spent on security procedures, to be reimbursed to BGD Labs on the Aave v3.3 activation proposal.