![[ARFC] Onboard rsETH to Arbitrum and Base V3 Instances](https://llamarisk-cms.nyc3.cdn.digitaloceanspaces.com/09d09ab5-4d3b-4629-84c3-ea5704d18631.png)
An archive of our post on Aave Governance forum, in the context of our scope of Risk service provider.
This is an archive of our post on Aave governance forum. Read the full thread here.
Update: A legacy function in the RSETHPool contract previously allowed the BRIDGER_ROLE to send all funds in the contract to itself and bridge the asset to L1. This resulted in a significant risk for users and the Aave DAO, as a malicious takeover of the wallet with that role could have rendered rsETH undercollateralized.
Following our communication with the Kelp DAO team, they have successfully addressed the identified concern by deploying a contract upgrade which deprecated the vulnerable function. We appreciate their swift response and commitment to protocol security.
-
RSETHPool contract on Base, with
BRIDGER_ROLEassigned to 3/6 multisig, was upgraded. -
RSETHPool contract on Arbitrum, with
BRIDGER_ROLEpreviously assigned to ProxyAdmin, was upgraded.