[GRANT PROPOSAL] - Implementing EIP-7265 (Circuit Breakers) to improve protocol security

valerio · July 28, 2023, 4:45pm

TL;DR

This standard outlines a smart contract interface for a Circuit Breaker that triggers a temporary halt on protocol-wide token outflows when a threshold is exceeded for a predefined metric. This circuit breaker does not assume the structure of the underlying protocol, and mainly serves as a pass-through vehicle for token outflows. In order to maintain correct internal accounting for integrated protocols, and to provide maximum flexibility for developers, developers can specify if the circuit breaker contract should delay settlement and temporarily custody outflows during the cooldown period, or revert on attempted outflows.

quote from Fellowship of Ethereum Magicians on EIP-7265: the Circuit Breaker Standard

Overview

GM AAVE Community & AAVE Team,
we are proposing to research and build tailored circuit breaker implementations to improve the security of the AAVE protocol and prevent most known attack vectors by default. Furthermore, our proposal will enhance and highly incentivize governance participation, as we are introducing new governance mechanisms that will allow safe management of emergency situations through DAO votings.

The idea of Circuit Breakers is not new. However, with the most recent developments under EIP-7265, new opportunities have evolved. Especially for asset-heavy protocols such as AAVE. Lightweight updates could exponentially increase the protocol’s security.

Being actively involved in the development of to EIP-7265, we are familiar with circuit breakers and their implementations.

With our contributions to EIP-7265, our research work, and our demos at various hackathons, we managed to prove how exploits on contracts with in-production vulnerabilities could be prevented.

The two main ones have been our Decentralized Circuit Breaker @ ETHGlobal Paris 2023 and our Firewall Hack at SOZU HAUS Paris 2023. Another one has been an on-chain firewall to protect Uniswap v3 from fraudulent contract interactions. A demo of this use-case received great acknowledgement and won over 5 prizes at the ETHPrague Hackathon.

After demonstrating the effectiveness of our approach through our prize-winning demos, and having raised enough confidence in circuit breaker implementations through our research and contributions, we are keen to further this exploration in collaboration with the AAVE Grants DAO.

For this project, we propose to develop a novel on-chain firewall (circuit breaker) system designed for optimal security, flexibility, and governance. This system will provide advanced measures to safeguard AAVE against all sorts of third-party attack vectors, all the while, preserving the core decentralized ethos of AAVE.

This proposed project will not necessitate any immediate changes or updates to the AAVE protocol, until mainnet integration decisions are made.

Why we do this:

$8.6 Billion is locked in Liquidity on AAVE across 5 different networks. If we succeed we will have added another layer of security to AAVE, protecting its assets.

Goals

Develop innovative methods for proactive protocol security within the AAVE ecosystem.
Enhance and secure the upcoming modifications to the AAVE Protocol by integrating tailor-made circuit-breakers.
Quantify and minimize protocol risks through the use of circuit-breakers.
Improve user experience by offering opt-in security features.
Enhancing Governance Participation by adding new functionality that naturally:
1. Motivates participation from individual voters
2. Increases the number of high-quality and engaged delegate platforms
3. Improves the visibility and understanding of governance processes and proposals
Identify and overcome potential implementation challenges before the integration of circuit breakers into the AAVE Protocol.

Project Details:

Core Components

Documentation

Research results outlining the benefits and technicalities of implementing circuit-breaker systems to AAVE.
Detailed description of all functionalities.
Step-by-step guide for circuit-breaker implementation.
Limitations and potential obstacles in the use of circuit-breakers
Suitable governance solutions for handling a triggered circuit breaker event
Outline and Analysis of circuit-breaker event strategies
Github repository, complete with all relevant unit tests

Frontend

Dashboard:
- Security monitoring & analytics
- UI Components, displaying relevant Data
- UX improvements, seamlessly integrating new functionality to the existing interface (if given)
Dashboard, displaying subgraph data relevant to AAVE stakeholders
Governance Interface
- For handling proposals in emergency situations, such as circuit breaker events

Smart Contracts

Development and testing of smart contracts to facilitate circuit breaker functionalities.

Subgraphs

Creation of subgraphs to gather data relevant to firewall functionalities and AAVE stakeholders.

Scope of Work, Milestones, Grant Allocation

We propose to divide the grant into three phases, corresponding to the complexity and novelty of the project. We are asking for an initial grant of $15K for Phase 1. Upon successful completion of Phase 1, we intend to discuss further phases and the corresponding funding requirements with AAVE Grants DAO.

Milestone 1: Research & Proof-of-Concept

Estimated Duration: 1 Month
FTE: 3 (*FTE = Full Time Equivalent)
Costs: $15,000
Estimated delivery date: 30th August 2023

This phase will focus on in-depth research and the creation of proof-of-concepts demonstrating how tailored circuit-breakers can enhance the security and functionality of AAVE.

Number	Deliverable	Specification
1.	Documentation	We will provide both inline documentation of the code and examples that explain how on-chain security methods, mainly circuit-breakers could be integrated to the AAVE Protocol.

All technical components needed to realise this, will be explained.

The documentation will also include the detailed research findings that address

→ technical limitations,
→ potential risks,
→ benefits
→ different technical and non-technical implications for AAVE |
| 2. | Proof-of-Concepts | Based on examples that result from the conducted research, functional prototypes will be build proving its technical feasibility.

This proof-of-concepts also serve for demonstration purposes to the AAVE Grants DAO and its stakeholders, so they have more material to evaluate the further future of this Grant. |
| 3. | Technical Blog Post | A technical blogpost explaining the proof-of-concept and research findings |

We are asking for $15K for this proof-of-concept milestone, to be paid upon grant approval.

Milestone 2: Prototyping & Production

Estimated Duration: 2 Months
FTE: 3
Costs: $30,000
Estimated delivery date: 30th October 2023

The second phase will concentrate on the development and testing of circuit breaker prototypes based on the findings of the first phase. The prototypes will showcase the practicality and benefits of integrating on-chain firewalls into the AAVE protocol.

Number	Deliverable	Specification
1.	Smart Contracts	Development and testing of smart contracts to facilitate circuit breaker functionalities.
2.	Subgraphs	to gather data relevant to firewall functionalities and AAVE stakeholders.

→ relevant for voters and governance overall |
| 3. | Frontend | → Dashboard:
◦ security monitoring & analytics
◦ UI Components, displaying relevant Data
◦ UX improvements, seamlessly integrating new functionality to the existing interface (if given)
→ Dashboard, displaying subgraph data relevant to AAVE stakeholders
→ Governance Interface
◦ for handling proposals in emergency situations, such as circuit breaker events |

The TurtleShell Team will also assist in marketing and explaining the integration, including:

Public blog post and co-marketing.
Detailed technical explanation of circuit architecture.
Detailed analysis of security guarantees.

Milestone 3: Testnet Deployment

Estimated Duration: 1 Month
FTE: 3
Costs: $15,000
Estimated delivery date: 30th November 2023

The final phase will involve the testnet deployment of all firewall components, followed by rigorous testing and refinement to ensure the system is ready for mainnet audit and potential integration into AAVE.

Number	Deliverable	Specification
1.	Testing Guide	All code will have proper unit-test coverage (e.g. 95%) to ensure functionality and robustness. In the guide we will describe how to run these tests
2.	Public and clearly documented open-source repos for:
→ Smart Contracts
→ Subgraphs
→ Frontend	We will provide both inline documentation of the code and a basic tutorial that explains how a user can (for example) spin up the application. Application is up, it will be possible to send test transactions that will show how the new functionality of circuit breakers & governance functionalities, work.
3.	Testnet deployments	all
4.	Informational Publications	→ Blog Posts, etc.

The TurtleShell Team will also assist in preparing the system for mainnet deployment, including:

Coordination with AAVE for all relevant security audits
Operating and maintaining relevant components such as the frontend and governance interface
Providing an open-source implementation for backup

Team

Valerio Fichera

Twitter: valerio_eth
Telegram handle: nft_valerio
Github: valeriofichera

Philipp Keinberger

Twitter: phil10013
Telegram handle: keinberger
Github: keinberger

Vinent Daubry

Twitter: vdaubry
Telegram handle: vdaubry
Github: vdaubry

Resources:

The TurtleShell team is fully committed to this project and excited about the potential to enhance the security, reliability, and functionality of AAVE through the integration of circuit breakers. We look forward to your consideration of this proposal.

link to notion page of this proposal, with all further links

MarcZeller · July 28, 2023, 4:57pm

Hello and thanks for your proposal, this overlaps with @Pauljlei & Gauntlet team work with “killswitch” implementation.

I recommend y’all sync up off-chain before escalating this.

valerio · July 29, 2023, 11:37am

thanks @MarcZeller for making aware of Gauntlet’s “killswitch”. We will take a deeper look into it.

@Pauljlei , we would love to get in touch with you to discuss the overlaps of our different approaches.

We have filled out the contact form on Gauntlet’s website. Alternatively, I would appreciate if you could send me a message on valerio@turtleshell.xyz or ping me on tg @nft_valerio .

We would highly appreciate, if you could take the time to sync up with us on this topic

valerio · August 22, 2023, 2:33pm

please also check our most recent PR on EIP-7265

github.com/DeFi-Circuit-Breaker/EIPs

Add DSM and modularize CircuitBreaker

DeFi-Circuit-Breaker:core-overhaul ← ikigai-labs-xyz:new-architecture

opened 02:42PM - 17 Aug 23 UTC

Keinberger

+1589 -817

# Add DSM implementation and modularize CircuitBreaker @vdaubry and me have b…een working the past few weeks to implement the new CircuitBreaker specifications and optimize modularity. We believe the EIP should provide a modular standard for anyone to extend upon and build individualized implementations. The main characteristic of hacks is “liquidity being drained in a short time frame”. That’s why it makes sense to track that metric on-chain and introduce a CircuitBreaker standard to provide a way to handle unusual TVL activity. Nevertheless, there are multiple other metrics that are also highly indicative of hacks, most and foremost unusual price changes within AMM’s or other protocol specific values that should not be able to change by unrealistic amounts under normal circumstances. That lead us to our conclusion: The CircuitBreaker standard should provide a way to track **multiple** metric**s** on-chain. It might be token outflows, but it should also enable protocols to track other metrics, that are crucial for protocol health. Protocol’s should not be bound to only tracking TVL. Furthermore, that will allow others to build extensions on top of the CircuitBreaker for their specific needs. Crucially, this philosophy is very common when it comes to EIP’s. Two of the most prominent, EIP20 and EIP721, both follow this philosophy: A minimalistic base implementation, that maximizes compatibility and modularization to allow others to build individualistic implementations and extensions. ## The new approach in a nutshell🥜 The new CircuitBreaker base implementation allows the protocol to configure *********************security parameters********************* (a more generic naming for tokenLimiter) for their protocol. Each security parameter has a unique `bytes32` identifier (previously a token address). This still allows protocol’s to configure it to track token addresses, but it also allows protocols to track other metrics. Each security parameter also has to be configured with a `SettlementModule` contract. This contract gets called to “settle” transactions whenever the CircuitBreaker gets triggered. The CircuitBreaker will automatically call the `prevent` function of the SettlementModule. It is up to the SettlementModule implementation to specify what will happen. The prevent function can be coded to always revert, schedule a future transfer (delay the settlement) or do something else. This allows protocols to implement highly individualistic settlement strategies for different metrics. Delaying the transfer or reverting are not the only options anymore. Protocol’s could also choose to let governance settle the transactions or implement other settlement strategies. **And the cool thing about this:** Our proposed approach is perfectly capable of doing the exact same thing as the original CircuitBreaker did beforehand: It can track token in- & outflows and delay or revert potential hack transactions. Even the same, existing Foundry tests pass with our proposed approach. To summarize: We are just modularizing the CircuitBreaker to allow for more customization. It still achieves the existing goals of delaying or reverting transactions. ## What has been changed Our code changes followed the philosophy of introducing minimal code changes to the existing code, while still implementing our new approach. ### **EIP7265 Interface** - Renamed `AssetRegistered` event to `SecurityParameterAdded` - Renamed `AssetInflow` event to `ParameterIncrease` - Renamed `AssetWithdraw` event to `ParameterDecrease` - Renamed `AssetRateLimitBreached` event to `RateLimited` - Renamed `registerAsset` function to `addSecurityParameter` - Renamed `updateAssetParams` function to `updateSecurityParameter` - Renamed `onTokenInflow` function to `increaseParameter` - Renamed `onTokenOutflow` function to `decreaseParameter` - `onNativeAssetOutflow` function is being handled by `decreaseParameter` - Deleted `overrideRateLimit` - became redundant because of `SettlementModule` implementation - Deleted `overrideExpiredRateLimit` - became redundant because of `SettlementModule` implementation ### **CircuitBreaker.sol** This is the new base CircuitBreaker implementation. The new contract only has 236 lines instead of 349 and allows for more modularization. **Changes** - Implemented more generic naming - tokenLimiters mapping uses `bytes32` as the key instead of an address - Renamed “tokenLimiters” to “limiters” - Implemented OpenZeppelin `Ownable` for more security when it comes to admin handling - Deleted gracePeriod - No longer needed - Deleted global isRateLimited variable - Rate Limiting is now being handled on a per security parameter basis. If protocol’s choose to implemented global rate limiting, they can do so by checking the status of a given security parameter limiter. - New `_decreaseParameter` and `_increaseParameter` functions call the prevent function on the SettlementModule in case of the CircuitBreaker being triggered. The prevent function implementation then specifies how to handle the trigger situation, as opposed to locking the funds by default. - Deleted `_safeTransferIncludingNative` - Is no longer needed ### **New: ISettlementModule.sol** The interface defines generic method for a Settlement module. We provided 2 sample settlement modules: - DelayedSettlementModule - RejectSettlementModule Protocol can choose which SettlementModule to attach to each security parameter they’re tracking. But protocol's can also provide their own SettlementModule if they need to. - Renamed “schedule” into “prevent”: each module will have a different way of preventing a transaction from going through. Some module are not scheduling, such as “RejectSettlementModule”. ### **New: IDelayedSettlementModule.sol + DelayedSettlementModule.sol** This implementation is a thin wrapper around OpenZeppelin TimelockController. The DelayedSettlementModule prevent transaction from going through by locking funds in a TimeLock. Funds can be unlocked by the “execute” function. ### **New: ITokenCircuitBreaker.sol** This interface implements the existing event and function naming of the EIP for the TokenCircuitBreaker extension. ### **New: TokenCircuitBreaker.sol** This contract is a wrapper for the CircuitBreaker contract. This wrapper allows for implementing the existing core functionality: Tracking asset inflows and outflows. It showcases how our proposed new CircuitBreaker contract can be extended with only minimal changes to allow for the same functionality.

would love to get the communites feedback in the context of possible implementations on AAVE

Topic		Replies	Views
[TEMP CHECK] Extend Aave DAO with EIP-4824 Governance	4	889	December 8, 2023
[RFC] Tool to stay up to date with the Aave community Other	3	761	November 8, 2023
[TEMP CHECK] Proposal for Senate to Enable Dedicated Tooling for Aave Governance General	15	3976	December 14, 2023
Update on Atlendis roadmap and progress Aave Grants DAO	5	2410	June 10, 2022
Aave Companies: Aave Development Update Development	0	1506	March 17, 2023