Sigma Prime: Security Assessment Services for Aave

Executive Summary

Aave’s success relies partly on its ability to deliver high quality products with a strong security posture. To date, and despite the large TVL potentially attracting a lot of malicious actors, Aave users haven’t suffered any losses due to smart contract bugs or vulnerabilities. Lately, it has been increasingly difficult to contract reputable smart contract security auditors, as most of the prominent firms in this space are booked out for months.

The aim of this proposal is to ensure Aave receives high-quality security assessment services to address all upcoming updates to its protocols, including critical upgrades such as the v2 → v3 migration.

Sigma Prime has been providing security assessment services to Aave for the past 2.5 years, reviewing critical components such as Aave v2 and v3, along with various other changes made to the lending platform.

Background

Sigma Prime is an information security consultancy who specialise in Blockchain technology and are mostly based out of Sydney, Australia.

The primary focus of Sigma Prime is to help secure distributed systems through in-depth security assessments of decentralised projects, while concurrently researching and developing core Blockchain infrastructure. Over the past 6 years, we have been working with some of the most prominent organisations in the space: the Ethereum Foundation, Chainlink, SushiSwap, 1inch, the Filecoin Foundation, NEAR, Arbitrum, Lido, Rocket Pool, and plenty of others. Some of the reviews that have been made public and performed recently are featured here.

Sigma Prime is also the founder and maintainer of the Lighthouse project, an open-source implementation of the Ethereum Proof-of-Stake Consensus specification, written in Rust. Lighthouse is one of the leading Ethereum consensus client implementations and has a particular focus on performance and security.

Throughout the works performed for Aave, the feedback received from the leadership team has been very positive, as can be seen here. We have gained a high degree of familiarity with the protocol, which we intend to leverage as required for the delivery of this engagement.

Proposal

This section outlines the terms of a master services agreement between Sigma Prime Pty Ltd and Aave for security assessment/consulting services:

  • Duration of the Agreement: 12 months
  • Commitment: 240 person-days + 40 optional person-days
  • Start Date: July 4th, 2022
  • Minimum Consultancy Fee: US$ 1,296,000, to be paid in USDC and/or USDT
  • Maximum Consultancy Fee: US$ 1,512,000, to be paid in USDC and/or USDT
  • Payment terms:
    • 50% of the Maximum Consultancy Fee at the signing of the MSA
    • Remaining Consultancy Fee (either 50% of the Maximum Consultancy Fee, or Minimum Consultancy Fee - 50% of Maximum Consultancy Fee) at the completion of the MSA or at the latest 12 months after the start of this Agreement
  • Scope of Services:
    • Smart contract security assessments
    • Web/API application security assessments
    • Mobile application security assessments
    • Cloud infrastructure security reviews
    • Security awareness trainings
    • Social engineering activities
    • Security processes and organisation consulting
    • Red-teaming exercises
  • Engagement Process:
    • For each security assessment, the primary deliverable will be a report-style document listing any vulnerabilities discovered during the security review, along with a test suite, built using Brownie. For security awareness training and security processes and organisation consulting, deliverables will be agreed upon with Aave at the start of the engagement.
    • Bored Ghosts Developing (BgD Labs) will facilitate the engagement process by vetting the targets for each testing window, and ensuring that the security assessors have access to the relevant entry criteria (documentation, target commit, etc.)
    • Multiple projects can be targeted in a single testing window, if time permits.
    • While Sigma Prime expects the vast majority of the allocated effort to be dedicated to smart contract security assessments, other security activities can also be conducted (see Scope of Services).
    • For projects requiring a high level of familiarity with the core protocol (e.g. v2 → v3 migration), Sigma Prime will utilise the same resources allocated to Aave on previous engagements.
    • As part of this agreement, one testing window will be made “optional”, meaning that if no targets are available, that allocated effort will not be charged to Aave. This provides some degree of flexibility, while guaranteeing availability of security assessors throughout the duration of the agreement.
  • Timeline:
    • This agreement provisions the following testing windows for Aave:
      • Review #1: 40 person-days | July 4th to July 29th (v3 Migration)
      • Review #2: 40 person-days | August 8th to September 2nd
      • Review #3: 40 person-days | September 19th to October 14th
      • Review #4: 40 person-days | November 14th to December 16th
      • Review #5: 40 person-days | January 16th to February 10th
      • Review #6: 40 person-days | March 13th to April 10th
      • Review #7: 40 person-days | May 8th to June 2nd
    • If one (or more) of these testing windows is not used by Aave, the Minimum Consultancy Fee will apply. If all testing windows are consumed, the Maximum Consultancy Fee will be charged.
  • Example of targets:
    • Aave v2 → v3 migration on Ethereum
    • A new version of the AAVE token, mainly reducing code and changing delegation
    • A new version of the staticAToken, a wrapper that makes the aToken increasing in value via exchange rate, instead of balance
    • A new iteration of the Aave governance, based on storage proof voting on a different chain
    • A migration of the AAVE/ETH Balancer pool from Balancer v1 to Balancer v2

Next Steps

We’re very excited about this proposal and look forward to hearing from the community! Massive thanks to the BgD team who reached out to us and provided feedback as we crafted this proposal. Here are the following steps we anticipate:

  • Step 1: Governance Forum Discussions (5 days)
  • Step 2: Creation of Snapshot Proposal (6 days)
  • Step 3: Creation of on-chain proposal if outcome of Step 2 is positive
  • Step 4: Project kick off if outcome of Step 3 is positive
3 Likes

Support of this proposal from BGD :+1:

One of our responsibilities concerning the development and security of the Aave ecosystem is to support other parties doing quality work to start a valuable relationship with Aave.
The case for Aave <> Sigma Prime is pretty straightforward for us, with the rationale being:

  • We (BGD) have worked with Sigma Prime in the past and can certify the diligence and quality work of the team.
  • As mentioned in the introduction, Sigma Prime is familiar with both Aave v2 and Aave v3 codebases, which removes the risk for the community of engaging with somebody not having specific knowledge about Aave. Team members participating in those previous Aave projects will be allocated to Aave during the engagement, which is a must.
  • We believe the budget is reasonable, considering the quality and length.
  • Given the decentralized nature of the contribution to the Aave ecosystem, we value the flexibility proposed with the 240+40, as it can be challenging to define a strict roadmap, with potentially new parties starting their contribution in the middle of the engagement.
  • Having relations with both Certora and Sigma Prime will put Aave in a pretty good position security-wise, covering 2 of the main parts of the lifecycle: verification of properties and security reviews.
1 Like

Every $ spent focused on the safety of the Aave users is well spent.

Sigma Prime & Aave have a long and successful relationship history.

Complete support of this proposal and glad Aave DAO is reaching the maturity and revenue to pick up its own bills.

2 Likes

Supporting as well SigmaPrime. I stumbled upon their work on ETH 2.0 validators couple of years ago and we contracted audits on our developments on Aave V2 and Aave V3 (attached links to the audits if anyone wants to review their previous work).

SigmaPrime focuses a lot on testing and the quality has been one of the bests and the budget is reasonable on the amount of work proposed. Would also recommend to keep the targets flexible so that new innovation can be audited that might not be yet on the pipeline and also would give flexibility in case some of the items in roadmap gets postponed.

Would have loved to see also the key contributors whom would be contributing to the workflow and taking the responsibility of the project as whole.

1 Like

SigmaPrime have continually shown expertise and care in their work with Aave Companies, and are incredibly well acquainted with the protocol and its’ codebase.

On top of this, security is fundamental to the protocol’s success and the work that SigmaPrime will be doing works well in conjunction with Certora’s work.

It is also a positive step to see more teams proposing to become contributors within the Aave ecosystem. This drives decentralisation in the community and furthers innovation for the protocol.

3 Likes

Aave’s top priority is to ensure the safety of funds on the protocol

Sigma Prime has been a key partner, testing and validating the security of Aave V2 & V3 smart contracts

For this reason, Sigma Prime is in a privileged position with both knowledge of the protocol and technical expertise to put to the benefit of the Aave DAO

Full support for this proposal and excited to see the Aave DAO contributor team grow :ghost:

2 Likes

AAVE needs audit reports for their new smart contracts, and that’s all. All the smart contracts are onchain, which means if there is a bug used by hackers, the security firm can do nothing with it. Spending 1.5 million dollars on security a year is a joke to me, cause this can not help AAVE at all. As a AAVE holder I will vote against this and make sure AAVE spend the funds in the right way to help this protocol grow.

Security is the highest priority for the aave protocol

Sigma Prime has had a long relationship with Aave providing security auditing services of the contracts for v2/v3. They have proven themselves as a valuable resource to the protocol and its exciting to see them become dao contributors.

In full support of this proposal

1 Like