Security

V1 of the Aera contracts have been audited by Spearbit in June 2022:

Highlighted Risks

While these are by no means exhaustive, we think the following risks are helpful to understanding broader vault operation.

Use of un-audited Balancer Managed Pool implementation

The most appropriate vehicle for rebalancing vault holdings is the Balancer V2 Managed Pool instrument. For more on Managed Pools see here. While already used by several teams, the Managed Pool contracts are still in development and have not been finalized or audited. We aim to use the latest deployable version of Managed Pool from the Balancer V2 codebase.

See Balancer Managed Pool for more information.

Front running risk

As explained in Balancer Weights, spot price misalignment with market prices can lead to arbitrage and loss of value in the vault. While our deposit and withdraw functions are designed to maintain spot price invariance, there are no guarantees that spot prices are not manipulated in between these functions. As such, we always recommend disabling trading before executing deposits or withdrawals. In future versions, an oracle will be introduced to protect against frontrunning even while the vault is trading.

Parameter submission

At this stage the parameter submission process relies on an off-chain algorithm. While we have worked hard to mitigate the power of the parameter submitter role in the contracts, errors in the off-chain code (for example due to errors in data received from an ETL provider) could lead to incorrect parameters being submitted to the vault. The vault owner has the power to stop vault operations at any point and to remove the vault manager role.

Incorrect weights

The most risky action conducted by a treasury is to enable trading on an Aera vault. If done with the wrong weights, this could lead to a large arbitrage trade and lose value in the vault. The weights need to be selected so that the implied Balancer spot price between each pair of assets is in line with current market prices.

Monitoring

In addition to the work done securing the contracts, the Aera team has a comprehensive monitoring and alerting stack for each deployed vault.