Thank you, @fig, @bgdlabs and @d0bby for your prompt responses.
To @fig’s first point:
This is a renewal of an existing grant and our team is still working with Aave closely. We are currently reviewing code changes and rules, hence the rush to submit now.
To @fig’s, @d0bby’s and @bgdlabs’s points about the community grant:
@bgdlabs: present specific examples of those collaborations with grantees
High security bug found by a community member on AAVE Token V3: https://www.certora.com/wp-content/uploads/2022/09/Formal-Verification-Report-of-AAVE-Token-V3.pdf
The biggest potential success of community engagements like this is bringing new talent to work closely with the DAO. Out of the 20 participants, several outstanding researchers expressed interest in contributing to security on a regular basis and with high availability. We are now picking the finalists and we will let the community know.
@d0bby: Might some or all of the proposed grant reviewers (two people from Aave BGD, one person from the Aave team, and two people from Certora) be willing to contribute a bit of their time to Aave Grants DAO by acting as the final due diligence hurdle for these types of requests?
From our experience during the last 6 months, community engagement in the rule writing process has had a net-positive effect on the overall security of the reviewed projects.
We believe that running such a process requires technical review and was handled successfully during the last 6 months. We welcome other suggestions from the community regarding the management and the structuring of the grants program.
We note that we will continue to do the heavy lifting of review while members of the committee will serve as “watchdogs” and ensure transparency, even if the grant is not run by us. Finally, we plan to give access to the platform to all the participants.
@bgdlabs: Maybe it could be helpful (if possible) to disclose some references of market rates of Certora
The current SaaS pricing for complex code bases is $2M per annum since it requires huge support from R&D personnel. The price for professional services is $80,000 per week. This includes two security engineers and one security researcher. Here we are charging $2.7M per annum and allocating up to six security engineers, a security researcher and multiple R&D persons for the whole year. We are also granting unlimited access to our platform for anyone who wants to contribute rules.
@bgdlabs: clarify if there is any specific target for the split grants/fellowships out of the $400’000, as again, in our opinion fellowships should get higher allocation over time, and other grants lower
Agreed. As mentioned before, we have contacted several excellent researchers, and we hope that we can allocate $150,000-$200,000 of the currently proposed grant programs to 2 or 3 such persons.