V1 of the Aera contracts have been audited by Spearbit in June 2022:
Spearbit Aera V1 Audit.pdf
While these are by no means exhaustive, we think the following risks are helpful to understanding broader vault operation.
The most appropriate vehicle for rebalancing vault holdings is the Balancer V2 Managed Pool instrument. For more on Managed Pools see here. While already used by several teams, the Managed Pool contracts are still in development and have not been finalized or audited. We aim to use the latest deployable version of Managed Pool from the Balancer V2 codebase.
As explained in Balancer Weights, spot price misalignment with market prices can lead to arbitrage and loss of value in the vault. While our deposit and withdraw functions are designed to maintain spot price invariance, there are no guarantees that spot prices are not manipulated in between these functions. As such, we always recommend disabling trading before executing deposits or withdrawals. In future versions, an oracle will be introduced to protect against frontrunning even while the vault is trading.
At this stage the parameter submission process relies on an off-chain algorithm. While we have worked hard to mitigate the power of the parameter submitter role in the contracts, errors in the off-chain code (for example due to errors in data received from an ETL provider) could lead to incorrect parameters being submitted to the vault. The vault owner has the power to stop vault operations at any point and to remove the vault manager role.