I recently discovered that Aave's Polygon Market is governed by an undocumented multisig admin key.
I requested information about this multisig from the Aave team.
The following reply was received:
I followed up immediately with these questions:
- Who are the signers?
- Are the signers Aave team members?
- What countries are the signers in?
- What power does the admin key hold?
- Can the admin key be used to drain funds if compromised?
I received no response to these questions, followups or reminders to answer. Radio silence so far.
Current Facts and Assumptions:
- We know that Aave has a 3-of-5 admin key on its Polygon implementation.
- We do not know who the signers are.
- We do not know if 5 individuals hold the 5 signing keys uniquely.
- It is possible that 1 Aave team member holds all 5 keys.
- It is possible that this key can be used to severely compromise the Polygon market.
I'll post again if/when I receive an update, or if the team releases documentation on the multisig.