ETH/AAVE implementation and security review kick-off

Co-author: @William

Summary:

The Idle Labs team has been taking care of a couple of items in our community roadmap in the last weeks. The next step would be to go through a security review and bring these new features to the production stage, following a security-first approach.

Current ready-to-review items are:

• WETH integration for the Idle protocol
• Aave v2 wrapper integration

IdleWETH is currently available for test in the beta stage, and has the same structure as other idleTokens (audited multiple times). The only review we would need to have is on the Aave v2 wrapper contract (and a couple of lines to support WETH wrap and unwrap for the Compound wrapper). An ETH/WETH converter is available in beta, and will be available in prod once voted and live.

Rationale:

ETH is the most liquid asset (and next up in terms of PRF as reported here), potentially attracting a ~$3B worth of potential TVL. IdleWETH will be embedded with Aave V2 support. This would allow us to test Aave’s contracts with this new strategy and migrate other idleTokens next.

According to the Aave’s roadmap, the migration from V1 to V2 should happen in about one month. Even if this deadline might be extended, Idle protocol should schedule this update on time. The Idle community has been discussing this migration between Dec 2020/Jan 2021, and proposed an implementation in early Feb 2021. Aave v2 supports WETH, and in this way we would be able to optimize its rate between Compound and Aave. Other strategies and support for protocols might be added in the future.

An adaptive fix is already in place in IIP-4 to accommodate this implementation. The migration from Aave V1 to V2 would not likely happen in a single moment, but we expect a gradual process where funds are partially allocated to the newest protocol’s version.

I think this proposal had sufficient visibility and we can now move it to the security review phase and then proceed with the on-chain vote.

Code References:

• Aave v2 implementation (here)
• WETH implementation in Compound (here | here | here)

Security Review Proposal:

We’d like to kick-off a review via dao.review via an official proposal in their forum, we estimate this can be processed in 1-2 weeks. This has also been proposed here, and no objections have been brought up – we will post a proposal in dao.reviews forum in the next few days.

After peer-review completion, we will proceed with a preemptive Consensus Check (1-2 days), and the related on-chain proposal (5 days) in order to bring ETH and Aave v2 for all idleTokens in the main dashboard.

Pending community approval, the last step would be to enable $IDLE liquidity mining distribution to idleWETH pool (either via the aforementioned on-chain proposal, or in a separated one).

Posted here Idle Finance aave v2 wrapper review Ask - Ask Reviews - DAO Reviews

Initial review for Aave V2 wrapper

Going ahead with IdleCompoundETH upgrade

Let’s make sure to not make the same mistake as furucombo.

First review for the CompoundETH connector

Looking forward @william

Awesome thanks for the review @emilianobonassi , posted my comments and fixes here Idle Finance aave v2 wrapper review Ask - #12 by bugduino - Ask Reviews - DAO Reviews

Cool, reviewed everything LGTM, I’ve only appended a further improvement for CompoundETH

Great added comment + fix Review CompoundETH · Issue #7 · Idle-Labs/idle-contracts · GitHub and closed the issue.

I think we can now redeploy those wrappers for idleWETH, check that everything works as expected once more and then move it to out of beta. After that we can create a proposal for the addition of the new aave v2 wrapper to all others idleTokens

That’s a good way to proceed

The 2 reviewed wrappers have been deployed and hooked to IdleWETH:

IdleCompoundETH address: 0x9A7aCA7618801ca90f91BeAa5a1A2E90a55605CA
IdleAaveV2 address: 0x3C5a5D7832e9084fD88885823aFA8Cd99250a70c

I think that the review can be considered concluded now and we can proceede with the payment of the bounties. I propose the following rewards (for ref the range proposed was 30-60 IDLE per reviewer)

• @emilianobonassi 60 IDLE: the review was accurate and with lots of implementable fixes and improvements. This is the overall quality expected for reviews imo
• AlexTheEntreprenerd 10 IDLE: the review should have been definetely more detailed and it lacked of actionable insights and fixes, given that no comment was incorporated, so that’s why I would reward it below 30 IDLE, but I would still want to grant Alex something for the time spent on this

In the future we should have a bounty range per reviewer starting from a smaller number eg 5 or 10

@Salome @emixprime we can proceede with bounties payment for this review

60 IDLE → 0x394495a3800d1504b5686d398836baefebd0c5b7
10 IDLE → 0xF9B2819B90697BE4f5D7AEF7AD9Cffe1f65e3d29

The bounties payment has been initiated and is waiting for the Pilot Leagues Signatures @8bitporkchop @emixprime @simoneconti @ETM612 @Teo

Payment completed:

@emilianobonassi Ethereum Transaction Hash (Txhash) Details | Etherscan

@AlexTheEntreprenerd Ethereum Transaction Hash (Txhash) Details | Etherscan

Thanks for this!