[Temp Check] DeFiSafety Quality Certificate

[Temp Check] DeFiSafety Quality Certificate

Author: Rex Hygate

Date: 2024-04-10

Summary

This forum post is a request for 15K of funding for a DeFiSafety quality certificate for AAVE V3 and AAVE V2. This is an annual amount. We made this request last year and it was granted via a grant. This year when we talked to the grant team they stated it would be better funded by the DAO as the grant team does not want to fund regular costs.

The DeFiSafety Quality Certificate acts as a badge of quality for users who do not understand a list of smart contract audits. We ask that the certificate logo is added to the security page of the AAVE documents and for context of liquidity providers.

Motivation - Why should AAVE support DeFiSafety?

Our goal is to give users of DeFi a badge of quality they can understand, audit and trust. A list of audits means nothing to most users . In order for good protocols to gain the trust of a larger audience, a clear and understandable badge of quality is required. We want an equivalent to ISO 27001 or SOC2 but for DeFi.

The DeFiSafety Quality Certificate this request funds is that badge. The certificate itself is the gold badge evident on the recent reports for AAVE V3 (AAVE V3 - detailed report | DeFiSafety) and AAVE V2 (AAVE V2 - detailed report | DeFiSafety) and our reviews page(https://www.defisafety.com/app). It indicates quality and refers to a human readable, auditable report with references. We know that a high DeFiSafety score does not guarantee there will be no security events. But it does provide assurance that the protocol is following best practices and has auditable transparency.

In addition to the financial funding requested here, there are other steps where the AAVE community could significantly help. The first is simple. Please support us by placing the DeFiSafety quality certificate logo on the security page of the AAVE Gitbook. We understand this is an AVARA decision and we are working on that conversation. Any support representatives of the DAO can give would assist.

Also, any connections with liquidity providers would be appreciated. If quality certificates are going to become popular, liquidity providers will drive acceptance. For many DeFi protocols will not fund a quality certificate without a clear financial incentive. If a liquidity provider requires a DeFiSafety quality certificate before depositing funds in a DeFi protocol, then this is the incentive the DeFi protocol needs. It also greatly assists the liquidity provider by giving a minimum benchmark in quality and transparency of DeFi protocols.

Specification

Inclusion of the DeFiSafety Quality Certificate logo [html avaiable upon request] on the AAVE docs Security and Audits page and/or on the website.

Duration & Proposed Budget

15k single milestone
Duration of certificate: one year from payment of milestone

Useful Links

Thank-you for your attention and I am available for any questions or comments.

Hi, please change your post to match the forum guidelines see here.
You would have to start with a TEMP CHECK.
[ARFC] ARFC and TEMP CHECK Framework - Governance - Aave

Done. Modified to meet temp check standard.

Hi and thanks for the TEMP CHECK.
While I always value security and think its the reason most people are using Aave, I don’t see any value in paying for a certificate 15k. To be honest, I have never heard of DeFiSafety before and I don’t think the regular user either, nor is he/she looking for a certificate before using Aave.
Aave as a brand is widely known and also its security standards. But these are maintained by the people developing it and making sure we have proper risk management. Which basically means its safe because of everybody contributing to the DAO.

What I see here is only a loss of 15k while I don’t see any benefit.
This doesn’t mean it won’t be approved in the end, just my opinion.

How will an outside user understand that a DeFi protocol has basic quality and is at least slightly safe? DeFiSafety quality certificates is an answer to that question. We are asking for the support of the DAO in developing and popularizing an answer to that question.

The first question this forum post asks is should any AAVE DAO resources support the concept of an independent (independent of any protocol or chain) quality organization?

If the answer is no, the status quo is fine then consider what will happen if a regulator imposes a quality standard on DeFi protocols. If the DeFi industry does not have an existing, in-house standard then each protocol will be weak in arguing against whatever it is the regulator imposes. Better to support the devil you know then the unknown in the future.

At the moment there are no quality organizations and users are left on their own. DYOR, read the audits, ask around. But be careful what you read, most posts are scams or pump and dumps. The environment users have right now is not welcoming. This toxic environment limits the number of users of DeFi and directly limits the number of users that AAVE gets.

So that is two reasons why supporting this proposal will directly assist AAVE. Supporting a quality organization will at least slightly tame the wild West and increase the number of users of the AAVE protocol. It will also mitigate the risk of a regulator-imposed security standard that is more difficult than the existing standard.

We are asking for 15K (barely a month burn rate) so that we can remain independent. We are also asking that the capable and respected AAVE DAO community spread the word among other protocols that supporting an independent quality group is worth the effort. This idea needs active community support, or it will die.

DeFiSafety has been reviewing DeFi protocols since 2020. We have reviewed AAVE four times since then. Check the post from last year for the links. We have been provably independent all that time. We are the best existing group to act as a quality organization. We would prefer if the quality standards were developed by community working groups. We hope this will be done in the future. Right now, our standards are the best out there. They can be improved, and we would love more community input. But they are still a good baseline. Our reports are human readable, auditable and consistent.

Look at the security page referenced from the menu of the AAVE.com website. To someone outside of Web3 and software development they are incomprehensible. It is impossible to compare the list of audits in one protocol from the list of audits in another. We have to improve if DeFi is to grow.

DeFiSafety quality certificates offer a potential improvement. We ask for support of the DAO in this improvement in the DeFi ecosystem. As indicated above there are clear benefits for the AAVE protocol.

If aave was allready certified in the past with this I’d assume these dont expire unless protocol changes…what is the annual fee for? Also can you link all others that have been certified. Thanks.

The intent was that certifications would provide a steady income from many different protocols. This would make DeFiSafety financially stable and independent of any individual protocol or chain. Also, you need to update the reviews at least annually. The reviews include links to documentation and website as justification for the score. These links change frequently. If you look at the list of reviews DeFiSafety has done, the ones with certificates have the badge visible.

DefiSafety has been an entity doing security overview of protocols like Aave since the very beginning of Aave v1, and last year we supported a grant for their effort and to help them keeping their independent/impartial nature.

We still think that a protocol/DAO like Aave should be on the forefront of support of this type of initiatives, setting an example as market leader by helping projects which monetisation is complicated without losing independence. However, being structured as a yearly subscription, we think Aave must get some type of benefits together with some type of spotlight as backers of the project.

Clearly this temperature check will not pass. This is not surprising and in line with the rest of the DeFi ecosystem. Even four years after DeFi Summer (when you would think the industry should be at least slightly mature) there is absolutely no interest or support for an independent quality organization (or many other industry organizations). For many, they think DeFi should not have any centralized organization’s; wild west DYOR, read the audit, if you can understand it, call it what you will. Many others see quality as Somebody Else’s Problem. They don’t think it is a bad idea simply not one they should pay for. We have 15 retail subscribers!

AAVE was the only major protocol that “supported” the concept of Quality Certificates last year, and thank you for that. Virtually all of the other protocols we canvassed simply felt there was not enough in it for them. An independent quality organization had no value. DeFiSafety was only seen as a vehicle for potential promotion of the protocol or chain. If you don’t help me you have no value.
These narrow, self-centered attitudes are worse now than they were before the crash. We find more protocols and chains with closed source now than before. People find value in not sharing and there is virtually no pushback.

AAVE is a great protocol with a really good team. The decentralized management structures are excellent. There are other protocols that are great also. But the space as a whole is spiraling downhill.

DeFiSafety will be transitioning to consulting. I need to make a living wage and clearly DeFiSafety cannot meet that need. We are doing L2 chain analysis for Compound right now. If you know any needs for security analyst work, let us know.