Title : [TEMP CHECK] Qualify the security incident 04-11-2023 as a shortfall event
Author : John Doe
Date: 2023-11-11

Motivation

Qualify the security incident reported here: https://governance.aave.com/t/aave-v2-v3-security-incident-04-11-2023/ as a shortfall event in order to activate the safety module.

Summary

Users have lost funds during the aforementioned incident as a consequence of the assets being frozen/paused. Users have reported two type of losses:

• losses resulting from liquidation
• losses resulting from high interest rates and accruing interests

As stated in the definition of a shortfall event:

The main role of the Safety Module is to protect the protocol against unexpected loss of funds stemming from:

• Smart contract risk : Risk of a bug, design flaw or potential attack surfaces on the smart contract layer.
• […]

Given that the losses reported by the users are:

• resulting from an undisclosed smart contract risk leading to the freezing/pause action
• unexpected, given the unexpected nature of the freeze/pause action

It seems conclusive to me that the incident satisfies the definition of a shortfall event.

Specification

This TEMP CHECK does not require any on-chain action or protocol changes.

Disclaimer

No Guarantee of Results; and Limitation of Liability:

This proposal is neutrally presented based on current community sentiment. Given the evolving nature of DAOs, there’s no assurance that the proposed changes will yield the intended results. The author(s) and associated parties are not liable for any outcomes or damages from this proposal’s implementation or lack thereof.

Next Steps

If this TEMP CHECK is approved, the next step is the activation of the safety module.

Copyright

Copyright and related rights waived via CC0.

I just want to know who is going to compensate us for “losses resulting from high interest rates”. I’m losing 0.06% of my money everyday and I can’t do anything!!

thanks for creating this TEMP CHECK proposal and for trying to follow the [ARFC] ARFC and TEMP CHECK Framework

these parts are not meant to be left void, you can find inspiration in other TEMP CHECK published in the forum. We invite you to edit your post.

Closing the topic meanwhile, will re-open it as soon as it’s compliant with the framework.

update: Topic re-opened after edit.

I am against this proposal.

Do some people here really expect there to be compensation …… when they deliberately move collateral out (during an upmarket) to lower their own Heath Factor, and then expect other people to pay for their action?

Eye widening.

The issue is that, in my understanding, liquidation is supposed to be impossible for a paused asset. So either:

• the reported liquidation didn’t happen,
• the assets were not paused,
• a bug/exploit occurred.

EDIT: To whoever is tempted to feed the troll, please don’t

Ok, so you are saying you experienced liquidation.

Show us YOUR address then, the one which got “liquidated”.

No? Cant? I will tell you why you cant/wont, because you took collateral out.

So it is your own doing that led to your liquidation (if any at all), so why should there be compensation?

*First, let me state how disappointed I am in the AAVE community that it doesn’t really seem to be possible for most of them to come up with a proper proposal for anything. As seen with Harmony recovery, it seems to take a long while to get from bickering about losses (“Give me my money back!!!111one”) to a point where the proper proceedings for an action by the DAO can be activated. *
*This mostly, in my opinion, stems from the fact that most users do not even have a bit of a clue what they put their money into or who “controls” the protocol they put their money into. Ignorance is bliss, I guess. *
Anyway, that’s a topic for another time.

This proposal comes fast but with an incredibly low effort.

First, my opinion: compensation for users that were locked into high interest rates, because they could neither pay back their loans nor did liquidity providers have the option to supply more liquidity to get the interest rates lower again, is a valid claim.

This obviously only goes for paused assets, as in freezing periods it is still possible to repay a loan.

This is also not a task that is too hard, as the markets are literally paused and we have the documentation on chain of who had how much debt during the pausing period. From that, it’s easy to determine who would be eligible.

But we also need a baseline. Users choose the variable debt option because they see 3-4% and think “well, that’s way cheaper than the stable rate, I’ll take it!” but they’re also choosing the riskier option. A choice that needs to be considered when talking about compensation for high interest rate periods outside of their control. Because they may have chosen the option with the believe that they could either switch to a stable rate or repay the debt quickly to forgo high interest rates.
But everyone should agree that users that chose the riskier option need to take personal responsibility for that action and they can not expect to be repaid in full for a risk they were aware of from the start.

So my proposal would be to set a baseline at 5% over the average stable rate over the past 365 days calculated individually for any given market. (i.e. if the average stable rate was 7% over the last year, 12% should be an acceptable interest rate for variable debt positions in an emergency situation).

I would also propose that the AAVE safety module should not be triggered for this. I agree that the function of the module is also for cases like these but the losses are not immediate and the trust of the stakers should not be broken by this, fairly small, loss for users.
The compensation should be paid by fees that go into the treasury over the course of one year, paid out every 3 months as claimable stkAAVE, so that the compensation for the individual wallet could either be claimed quarterly, as it becomes available, or after 12 months in full.
This way the AAVE community will be whole again, the ecosystem will be further secured and the AAVE treasury will have time to “soften the blow”.

From what I see in protocol revenue over the last few weeks, the cost for this proposal would be less than 500.000$ (this is a back of the napkin calculation, please correct me if you have better numbers).

Please discuss and please look at the bigger picture and the good of AAVE when considering this.

For the other proposal, i.e. compensating for fees caused by liquidations, I have not and do not see any evidence up to now to support that this was a protocol issue and not individual decisions that led to said liquidations. In every example I’ve heard up to now the cause was excessive risk taking by the individual, while ignoring the special situation the protocol was in at the time. Paused markets can’t be liquidated. Frozen markets can be repaid, thus there should not really be liquidations if you’re aware of what’s happening.
Show me the evidence and I may reconsider, but I doubt it.

If AAVE governance is a brain, let just say this post is meant to be a single neuron firing a signal in the hope to activate the full cortex. I am glad you proposed a more detailed action plan and I agree with all your points.

Ok, but I think it would then be equally valid to claim that I lost huge opportunities by not being able to withdraw my USDC, DAI, and CRV…

I mean, like, wtf.

Hello,

With the ACI, we will form a definitive opinion on this TEMP CHECK after all markets are back to normal (expected Monday afternoon UTC for V2).

Meanwhile, we want to remind that the Aave protocol is decentralized, owned, and governed by the Aave governance. Anyone is free to open a standard TEMP CHECK, and constructive discussions & feedback are expected from these propositions.

TEMP CHECKs are, as their name implies here to gauge community sentiment on an idea. The requirement for technical specification is low, they’re meant to be a first filter that doesn’t require mandatory feedback from service providers and investment of engineering resources to define a path for execution.

After a potential TEMP CHECK successful snapshot, a proposal becomes an ARFC and needs to be more technical and “well-defined” by then.

To keep the DAO inclusive, TEMP CHECK requirements are low, and the ACI Skyward program handles the technical details & coding part on behalf of posters if they get approved at the TEMP CHECK snapshot stage.

Here’s a reminder of how the Aave DAO works :

We invite the community to remain civil and focus on constructive debate. While all opinions are welcomed in the Aave DAO, not all ways to express them are, and moderation will be enforced if needed.

I did not argue against that, did I?

But the thing there is that the liquidity provider side benefitted from this situation as well, with being paid high interest rates.

So the situation is that debtors had no opportunity to either withdraw their collateral (because they had locked in debt positions) nor could they repay their debt position while paying high interest rates.

Pure liquidity providers on the other hand could simply not withdraw their provided liquidity while being paid higher than average interest rates.

So everyone should see that one side has it way worse than the other site.

I would also argue that “lost opportunities” are very hard to quantify.

yeah, so i just hope i can withdraw my supplies soon and move forward

I argue against that

LP provides stable coins which people like you borrow to buy other crypto (or else why would you borrow stables and pay interest?)

You used the borrowed stable coins to buy crypto which experienced a 20% rise this week

Hence you have made money because of the LP liquidity provision of stable coins. The 20% crypto price gain outweight the 0.5% interest for a week, while LP couldnt extract their stables to buy in the up market

So if anything it is the LP who should be compensated.

Now that all markets are back to normal, as the ACI we will state our opinion on this proposal:

The responsible disclosure event led to zero user funds loss. That’s a best-case scenario realized.

• It’s a success of the bug bounty program that allowed a gigachad whitehat to do the right thing and protect the Aave users. (as the ACI, we will support in a separate proposal a just compensation for this person)

• it’s a success of the guardian role, that coordinated and enforced the necessary security measures they’re elected to perform in this kind of critical scenario.

• it’s a success of @bgdlabs, our service provider that coordinated, and worked tirelessly to identify the issue, coordinate, patch, and fix everything during these stressful nine days.

However, It’s a fact some users have been locked with higher-than-average borrow rates, but nine days is ~2.45% of a year as rates are annualized; simple maths prove that the actual impact on the position cost is below 0.5-1% in most cases.

These users chose a variable rate defined by supply and demand. Liquidity crush can also happen (especially in rising markets) and increase the cost of borrowing outside special events.

We don’t consider the impact significant enough to trigger the activation of the safety module, and we will support instead allocating resources for the whitehat bounty as a DAO.

The ACI will cast a NAY vote.

NAY2949×2780 1020 KB

We don’t consider the impact significant enough to trigger the activation of the safety module

While I acknowledge the success of the bug bounty program, the guardian role, and the coordination efforts of @bgdlabs, this shouldn’t negate the fact that certain users have experienced losses as a result of the incident. These losses may be slight according to some, but still significant for these users.

Saying that the impact is insignificant and hence does not warrant the activation of the safety module implies a sliding scale for justice that is determined by the size of the loss. This is in violation of the principles of equal protection and the rule of law, where the amount of loss should not determine the validity of its restitution.

The principle of the shortfall event as per AAVE governance rules is crystal clear: It’s meant to protect the protocol against unexpected loss of funds due to (undisclosed) smart contract risk. The magnitude of the loss is an irrelevant factor. By qualifying this incident as a shortfall event, we need to recognize that users have lost funds unforeseen through the freeze/pause action, which is a direct outcome of an (undisclosed) smart contract risk, and thereby we meet the definition of a shortfall event.

Further, the precedent we could potentially establish in deeming losses as too insignificant to execute module safety is alarming. Today, it could be a just a handful of users who are affected, but tomorrow it could be a substantial percentage of the community who somehow end up on the losing side of a shortfall event - if you fail to implement the protections you agreed upon in your governance rules, then you undermine the very fabric of the ecosystem you’ve built.

In a decentralized finance environment, transparency, fairness, and adherence to predetermined rules are of paramount importance. Once a shortfall event is identified, actions should be the same, irrespective of the number of affected users or the size of the loss. Governance rules are created to provide recourse for all participants, not just the majority. Your community values should not be compromised, irrespective of the situation.

Thus, I firmly believe that you should proceed with the activation of the safety module and protect all affected users, however few or minor their losses may currently be. It is a matter of principle, not of proportion. You should be guided by the agreed governance rules, not situational interpretation.

@raphael The aave governance governs the Aave DAO.

If you own the AAVE asset, you own the protocol, 100%.

This means that we don’t get to decide what happens. We can only create proposals and submit them to the governance for approval/rejection.

This means that regardless of who you are, how much AAVE you own, and what’s your position in aave, you have 100% the right to submit a standard TEMP CHECK in this forum and collect community feedback.

As the ACI, service provider of the DAO, I will escalate your proposal to snapshot in two days once we reach the 5 days debate period.

I will personally vote NAY as the ACI and I stated our rationale why. some can agree, some can think we’re wrong and that is fine, they’re free to vote as they see fit and explain their rationale too.

But what is guaranteed 100% is that if the YAE wins on this TEMP CHECK snapshot, regardless of my opinion, The ACI will craft a compliant ARFC on your behalf, define the amount impacted, define a mitigation plan, and publish it. and other service providers will answer to it and provide technical feedback on it

And if that ARFC snapshot wins as well, regardless of our vote, regardless of other service providers’ opinions, the ACI will write the smart contracts necessary to translate your English words into enforceable code that can trigger protocol action creating requested outcomes.

that is what decentralization & an open, inclusive DAO mean. and the ACI role is to support this.

Aave Token holders have full control of this protocol.

We don’t believe that this qualifies as as shortfall event considering all the steps taken to ensure the safety of the funds deployed and the outcome.

@JohnSmith

I vote for …… NAY

Have a good day.