Security and Agility of Aave Smart Contracts via Continuous Formal Verification

Details for the community to be discussed apart, we strongly support this renewal proposal, given how vital it is for the progress of all technical development on Aave to have a firm like Certora providing security assurances.

We can certify that during the previous 6 months of work, the professionalism and involvement of Certora in all developments (minor and major) coming from BGD and other technical contributors has been top-notch.




Regarding the main components of the new proposal:

Base price of Certora’s services
Even if the price is quite high, given that it is the same as on the previous proposal, and understanding the demand for Certora’s services, we don’t have any reason to think this is not fair. Maybe it could be helpful (if possible) to disclose some references of market rates of Certora @Shelly.

Fellowships
We think “targeted” grants programs like the previous run between Aave <> Certora should have a long-term goal, and getting part/full-time independent security professionals engaging with the Aave DAO after successfully contributing to Aave projects is the most natural and beneficial outcome.
So we support a model in which the general grants budget is reduced over time, in favor of engagement with proven individuals, becoming an acquisition channel of talent for Aave.
Given that on the previous proposal, the grant budget was $200’000 for 6 months, and now it is $400’000 for 12 months, it seems to follow that approach, on which we agree. Still, it could be important if @Shelly could clarify if there is any specific target for the split grants/fellowships out of the $400’000, as again, in our opinion fellowships should get higher allocation over time, and other grants lower.
In addition, given the highly technical knowledge/background required to evaluate the suitability of fellowship candidates, from BGD we are open to collaborating on a one-time review of the candidates and their previous work on Aave projects.

General grants
Involving 20 external security researchers to write 550 security rules on Aave projects, evaluate rules’ quality, organize workshops showcasing Aave’s technology, and the $132’500 that Certora says they provided on top of the initial budget seems enough reason to consider the program a big success.
(It could be important @Shelly to present specific examples of those collaborations with grantees).
So even if we think the size could be something open for discussion by the community, it seems like a good idea to keep some components.

On the previous @fig point, we think that probably Aave Grants DAO is not the proper entity to tackle these “grants”, given the management overhead and quite specific knowledge required to evaluate everything around. Seems preferable that Certora does the “heavy lifting”, having support from technical parties like us (part of our work scope with Aave) or other technical or security contributors (SigmaPrime?) when required.
Goes without saying that we think everything should be fully transparent for the Aave community.

4 Likes