[ARFC] Deploy a Crypto.com Aave v3 Instance

[ARFC] Deploy a Crypto.com Aave v3 Instance

[ARFC] Deploy a Crypto.com Aave v3 Instance

Oct 11, 2024

This is an archive of our post on Aave governance forum. Read the full thread here.

Following recent discussions with Crypto.com and signing an NDA, LlamaRisk provides additional information about cdcETH. This update clarifies previous concerns and offers a more comprehensive view of security measures and operational procedures.

Custody solution

We’ve reviewed an audit by a reputable firm (undisclosed due to NDA) confirming Crypto.com’s robust custody solutions, which is compliant with SOC2 (Service Organization Control) Type 2, a year-long process that identifies:

  • Security controls against unauthorized access, mitigating system abuse, theft, fraud, data removal, software misuse, and information alteration

  • Quick detection of anomalies and incidents by monitoring staff

  • Established frameworks for responding to security breaches

The SOC2 Type 2 framework’s security controls and processes have been effectively designed and implemented to protect the custody solution. Security is the core of SOC 2 compliance requirements.

Public repository

Crypto.com has made its cdcETH GitHub repository public. Key points:

  • Uses Circle’s Wrapped Token OS ERC20 format (like cbETH, USDC)

  • Identifies contract access controls and owner-changeable variables

  • Includes detailed contract architecture diagrams

  • Primary contract (FiatTokenProxy.sol) is functionally identical to other Wrapped Token OS tokens, with minor informational differences

MPC Address Custody Solution

Crypto.com uses a multistage contract interaction process, which, for security reasons, cannot be detailed. LlamaRisk reviewed the operational flow, which provides checks and balances to prevent unauthorized transactions. However, ownership of the Multi-Party Computation signer keys and adherence to these procedures cannot be independently verified. While an onchain Safe solution would be preferable, the reported efforts suggest good operational procedures.